b'November 2007\nReport No. EVAL-08-001\n\nThe FDIC\xe2\x80\x99s Internal Risk Management\nProgram\n\x0c                                                                                                              Executive Summary\n                                                                                                          Report No. EVAL-08-001\n                                                                                                                  November 2007\n\n                                             The FDIC\xe2\x80\x99s Internal Risk Management Program\n                                             Results of Evaluation\n\n                                             The FDIC has a number of internally-focused committees and groups that help to keep\n                                             the Board, Chairman, and senior executives informed of management operations and\n                                             internal risks facing the Corporation and aid them in their decision-making. Taken\nBackground and Purpose of                    collectively, these committees and groups as well as their respective reports and\nEvaluation                                   briefings provide a comprehensive means for managing internal risk and establishing\n                                             transparency. More could be done, however, to (1) institutionalize how these entities\nEnterprise Risk Management (ERM) is          interrelate and support ERM and (2) ensure the continuity of risk management efforts as\na process, effected by an entity\xe2\x80\x99s board     changes in leadership and/or senior management occur.\nof directors, management and other\npersonnel, applied in strategy setting       We evaluated the FDIC\xe2\x80\x99s overall internal ERM efforts against key concepts and\nand across the enterprise. ERM is            principles of COSO\xe2\x80\x99s ERM Framework. We also evaluated the FDIC\xe2\x80\x99s overall ERM\ndesigned to identify potential events that   efforts against the provisions of Office of Management and Budget Circular A-123,\nmay affect the entity, and manage risk       Management\xe2\x80\x99s Responsibility for Internal Control. The FDIC has implemented\nto be within its risk appetite, to provide   elements of several of the ERM Framework components through the establishment and\nreasonable assurance regarding the           actions of OERM and has established other internal risk management functions outside\n                                             of OERM\xe2\x80\x99s purview. However, the FDIC\xe2\x80\x99s overall ERM program varies in some\nachievement of entity objectives.\n                                             respects from what is recommended by COSO. Although organizations have latitude\n                                             and flexibility in implementing ERM to meet specific needs, the FDIC may wish to\nERM is a fundamental element of              further study the following aspects of its ERM program to maximize the effectiveness\ncorporate governance practices in an         and efficiency of the various risk management activities currently in place throughout\norganization. According to Protiviti\xc2\xae,       the Corporation.\nInc., a leading provider of independent\ninternal audit and business and                 \xe2\x80\xa2    Defining and communicating the Corporation\xe2\x80\x99s risk appetite and ensuring that\ntechnology risk consulting services,                 corporate objectives are aligned with that appetite;\n\xe2\x80\x9cERM is about establishing the                  \xe2\x80\xa2    Implementing corporate-wide consistent processes for identifying, assessing,\noversight, control and discipline to drive           and responding to risks;\ncontinuous improvement of an entity\xe2\x80\x99s           \xe2\x80\xa2    Establishing effective channels for OERM to communicate risk information up,\nrisk management in a changing                        down, and across the Corporation; and\noperating environment.\xe2\x80\x9d                         \xe2\x80\xa2    Monitoring the implementation of the overall ERM program.\n\nIn May 2004, the FDIC changed the            According to the FDIC Bylaws and implementing policy reflected in Circular 4010.3,\nname and focus of the Office of Internal     FDIC Enterprise Risk Management Program, OERM is responsible for administering a\nControl Management to the Office of          comprehensive ERM program at the FDIC. OERM has issued policy providing high-\nEnterprise Risk Management (OERM)            level guidance for ERM program requirements and detailed guidance to OERM staff\nand charged OERM with the                    who serve as risk managers on large IT projects. FDIC senior officials advised us that\nresponsibility of administering the          they are pleased with OERM\xe2\x80\x99s contribution to risk management and key internal\nFDIC\xe2\x80\x99s enterprise-wide risk                  initiatives. However, we noted that OERM\xe2\x80\x99s activities and focus are inconsistent with\nmanagement program.                          the FDIC Bylaws and policy governing the Corporation\xe2\x80\x99s ERM program. In this regard,\n                                             the FDIC could benefit from adding more structure to OERM\xe2\x80\x99s existing internal ERM\nOur objective was to assess: (1) the         policy and program, by:\nextent to which the FDIC has\nimplemented an ERM program                      \xe2\x80\xa2    Defining the roles of the FDIC Board, Chairman, and Audit Committee in\nconsistent with applicable                           ERM and reconciling the stated role of OERM with actual practice;\ngovernment-wide guidance, and                   \xe2\x80\xa2    Issuing comprehensive procedures and guidance to establish consistent\n(2) OERM\xe2\x80\x99s implementation of FDIC                    processes, tools, techniques, and models for identifying, assessing, mitigating,\n                                                     and reporting risks; and\nCircular 4010.3, FDIC Enterprise\n                                                \xe2\x80\xa2    Providing corporate-wide training in ERM.\nRisk Management Program, dated\nSeptember 25, 2006.\n                                             We evaluated the status of the FDIC\xe2\x80\x99s internal ERM program as administered by\n                                             OERM against an ERM capability maturity model developed by Protiviti\xc2\xae, Inc., that\n                                             provides criteria for ranking ERM programs on a continuum of five stages of\n\x0c                                                                                                           Executive Summary\n                                                                                                       Report No. EVAL-08-001\n                                                                                                               November 2007\n\n\n                                           Results of Evaluation (continued)\n                                               TABLE OF CONTENTS\nA principal source of criteria that we     maturity from an Initial State to an Optimizing State. We concluded that the internal\nused in evaluating the Corporation\xe2\x80\x99s       ERM program is in the Initial State, but possesses certain attributes of the Repeatable\napproach to internal risk management       State, the second level of maturity. Characteristics of the Repeatable State include a\nis the Committee of Sponsoring                                D Rbasic\n                                           basic policy structure,  A Frisk\n                                                                         T management processes, and basic control activities, all\nOrganizations of the Treadway              of which the FDIC possesses. However, the Repeatable State is also described as\nCommission (COSO) Enterprise Risk          having explicitly defined and understood roles and commitments, people trained in the\nManagement \xe2\x80\x94 Integrated                    ERM process, independent spreadsheet models, and regular actionable reports\xe2\x80\x94areas in\nFramework. OERM\xe2\x80\x99s ERM policy               which OERM\xe2\x80\x99s program has not progressed as far.\n(Circular 4010.3) states that the FDIC\nemphasizes guidance provided by            Finally, this report includes a matter for the FDIC\xe2\x80\x99s consideration regarding the\nCOSO and references the ERM                relationship between the Corporation\xe2\x80\x99s internal and external risk management efforts.\nFramework.                                 The FDIC\xe2\x80\x99s ERM Program is limited to internal FDIC operations, by design. However,\n                                           this approach varies from the fundamental COSO tenet that ERM should be applied\nAdditionally, we researched relevant       across the enterprise, at every level and unit, and should include taking an entity-level\nfederal guidelines and practices related   portfolio view of risk and consider interrelated risks from that perspective. In the\nto ERM. We also consulted extensive        interest of furthering effective corporate governance practices, we suggest that the FDIC\nwork by Protiviti\xc2\xae, Inc., to gauge the     examine the relationships between the Corporation\xe2\x80\x99s internal and external risk\n                                           management activities to ensure they are complementary or integrated to the extent they\nmaturity of OERM\xe2\x80\x99s risk management\n                                           efficiently and effectively mitigate any current or future risks to the successful\nefforts and discern best practices in\n                                           accomplishment of the FDIC mission.\nenterprise risk management.\n                                           OIG Recommendations and Management Response\nFinally, we were mindful of the results\nof the recent study conducted by the\nU.S. Government Accountability             Much of the material in this report is informational\xe2\x80\x94to provide an understanding of the\nOffice (GAO) related to the                various ERM activities currently in place throughout the Corporation. However, the\nCorporation\xe2\x80\x99s external risk                report also contained seven recommendations and two suggestions intended to:\n                                           (1) address the variances between certain current FDIC practices and approaches to\nmanagement activities.\n                                           ERM and those advocated by the COSO ERM Framework and applicable FDIC and\n                                           government-wide guidance and (2) add clarity and structure to the ERM program.\n\n                                           After discussing the draft report findings, suggestions, and recommendations with the\n                                           Chairman, management provided us a written response, dated October 18, 2007. FDIC\n                                           management agreed in its response to our draft report to:\n\n                                           \xe2\x80\xa2   Develop a more comprehensive blueprint to enhance coordination and to document\n                                               the various committees and groups that contribute to ERM,\n                                           \xe2\x80\xa2   Take efforts to more clearly define and communicate the Corporation\xe2\x80\x99s risk appetite\n                                               and ensure that corporate objectives are aligned, and\n                                           \xe2\x80\xa2   Clarify the roles of the Chairman, the Board, and the Audit Committee in relation to\n                                               the ERM program.\n\n                                           These actions are responsive to one of our suggestions and two of our recommendations.\n                                           Management disagreed with the remaining five recommendations and suggestion. In\n                                           this instance, because the Chairman, who serves as the Corporation\xe2\x80\x99s audit follow-up\n                                           official, has been involved in the response process, management\xe2\x80\x99s written comments\n                                           constitute the FDIC\xe2\x80\x99s final determinations regarding the suggestions and\n                                           recommendations in our draft report. Accordingly, we consider the recommendations\n                                           closed and will not pursue them further. The Chairman committed to tracking those\nTo view the full report, go to             corrective actions agreed to by management. Accordingly, management\xe2\x80\x99s planned\nwww.fdicig.gov/2008report.asp              actions in response to (1) our suggestion regarding documenting how the various\n                                           committees and groups interrelate in managing internal risk and (2) Recommendations 1\n                                           and 5 should be included in the Corporation\xe2\x80\x99s Internal Risks Information System, along\n                                           with expected completion dates.\n\x0c                                                  TABLE OF CONTENTS\n\nEVALUATION OBJECTIVE ..................................................................................................... 1\n\nBACKGROUND ............................................................................................................................ 2\n\nEVALUATION RESULTS .........................................................................................................                5\n\nFDIC Committees and Groups that Contribute to Internal Risk Management.................... 5\n     Suggestion for Management\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6... 8\n\nComparison of the FDIC\xe2\x80\x99s Overall Internal ERM Efforts to the COSO\nERM Framework .........................................................................................................................     9\n     Internal Environment .........................................................................................................         9\n     Objective Setting................................................................................................................      12\n     Event Identification\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                        13\n     Risk Assessment ................................................................................................................       16\n     Risk Response....................................................................................................................      18\n     Control Activities...............................................................................................................      19\n     Information and Communication.......................................................................................                   21\n     Monitoring .........................................................................................................................   26\n     Recommendations..............................................................................................................          27\n\nStructure of the FDIC\xe2\x80\x99s Internal ERM Program .....................................................................                          29\n       Roles and Responsibilities .................................................................................................         30\n       Policies and Procedures .....................................................................................................        32\n       Training Programs .............................................................................................................      33\n       Maturity Level of the FDIC\xe2\x80\x99s Internal ERM Program ......................................................                             34\n       Maturity Assessment of the FDIC\xe2\x80\x99s Internal ERM Program.............................................                                  36\n       Recommendations..............................................................................................................        36\n\nOther Matter for Consideration: Integrating Enterprise Risk Management at the FDIC...                                                       37\n     Enterprise Risk Management at the FDIC ..........................................................................                      37\n     Opportunities to Enhance ERM at the FDIC.......................................................................                        40\n\nCorporation Comments and OIG Evaluation...........................................................................                          40\n\nAppendix I: Objective, Scope, and Methodology.....................................................................                          45\nAppendix II: Division and Office Risk Management/Internal Review Programs................                                                   48\nAppendix III: Corporation Comments .....................................................................................                    52\nAppendix IV: Management Responses to Recommendations ................................................                                       64\n\nTables:\nTable 1: Common Elements of ERM Infrastructure.....................................................................                         29\nTable 2: Examples of ERM-Related Training Topics ..................................................................                         33\nTable 3: Division and Office Internal Review Staffing ................................................................                      48\n\n\n                                                                     i\n\x0cFigures:\nFigure 1:   COSO ERM Framework ................................................................................................   2\nFigure 2:   Internally-Focused Committees and Groups that Contribute to Internal ERM..............                                6\nFigure 3:   Protiviti\xc2\xae, Inc. ERM Maturity Model............................................................................       35\nFigure 4:   Entities that Contribute to Internal and External Risk Management..............................                       39\n\n\n                                                  ACRONYM LIST\n\n       ADR                            Alternative Dispute Resolution\n       AICS                           Administration & Internal Control Section, Division of Finance\n       APP                            Annual Performance Plan\n       AU                             Accountability Unit\n       BAPA                           Budget and Accounting Procedures Act of 1950\n       CEO                            Chief Executive Officer\n       CFO                            Chief Financial Officer\n       CFO Act                        Chief Financial Officers Act of 1990\n       CIO                            Chief Information Officer\n       CIRC                           Capital Investment Review Committee\n       CM                             Corporate Manager\n       COBIT\xc2\xa9                         Control Objectives for Information and Related Technology\n       COO                            Chief Operating Officer\n       COSO                           Committee of Sponsoring Organizations\n       CPO                            Corporate Performance Objective\n       CU                             Corporate University\n       DIR                            Division of Insurance and Research\n       DIT                            Division of Information Technology\n       DOA                            Division of Administration\n       DOF                            Division of Finance\n       DRR                            Division of Resolutions and Receiverships\n       DSC                            Division of Supervision and Consumer Protection\n       ERM                            Enterprise Risk Management\n       FDIC                           Federal Deposit Insurance Corporation\n       FDIC Board                     FDIC Board of Directors\n       FFIEC                          Federal Financial Institutions Examination Council\n       FFMIA                          Federal Financial Management Improvement Act\n       FISMA                          Federal Information Security Management Act\n       FMFIA                          Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n       GAO                            Government Accountability Office\n       GPRA                           Government Performance and Results Act of 1993\n       ICL                            Internal Control Liaison\n       ICRS                           Internal Control and Review Section, Division of Supervision and\n                                      Consumer Protection\n       IRG                            Internal Review Group, Legal Division\n       IT                             Information Technology\n\n\n                                                              ii\n\x0cMSS    Management Support Section, Division of Administration\nNFE    New Financial Environment\nNRC    National Risk Committee\nOCC    Office of the Comptroller of the Currency\nODEO   Office of Diversity and Economic Opportunity\nOERM   Office of Enterprise Risk Management\nOICM   Office of Internal Control Management\nOIG    Office of Inspector General\nOMB    Office of Management and Budget\nOPA    Office of Public Affairs\n\n\n\n\n                       iii\n\x0cFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                                 Office of Inspector General\n\n\nDATE:                                November 30, 2007\n\nMEMORANDUM TO:                       Sheila C. Bair\n                                     Chairman, FDIC\n\n\n                                     [Signed]\nFROM:                                Jon T. Rymer\n                                     Inspector General\n\nSUBJECT:                             The FDIC\xe2\x80\x99s Internal Risk Management Program\n                                     (Report No. EVAL-08-001)\n\nEnterprise Risk Management (ERM) is a process designed to help management effectively deal\nwith risks to achieving an entity\xe2\x80\x99s objectives. ERM integrates risk management with existing\nmanagement processes, identifies future events that can have both positive and negative effects,\nand evaluates effective strategies for managing the organization\xe2\x80\x99s exposure to those possible\nfuture events. It aligns strategy, people, processes, technology, and knowledge with a strategic\nemphasis and an enterprise-wide application. 1\n\nThe FDIC has a number of committees and groups that contribute to the FDIC\xe2\x80\x99s overall ERM\nefforts. Further, the FDIC established the Office of Enterprise Risk Management (OERM) to be\nresponsible for ensuring that the Corporation has a risk management program in place and\noperational for all divisions and offices. OERM specifically focuses on risks internal to the\nFDIC while external risk management is the primary responsibility of other divisions and offices\nthroughout the Corporation.\n\n\nEVALUATION OBJECTIVE\n\nOur objective was to assess:\n\n      \xe2\x80\xa2   the extent to which the FDIC has implemented an ERM program consistent with\n          applicable government-wide guidance and\n\n      \xe2\x80\xa2   OERM\xe2\x80\x99s implementation of FDIC Circular 4010.3, FDIC Enterprise Risk Management\n          Program, dated September 25, 2006.\n\nAppendix I describes in detail our objective, scope, and methodology.\n\n1\n    Description of ERM is based on a publication entitled, Enterprise Risk Management: Practical Implementation\n    Ideas, by Protiviti\xc2\xae, Inc., an independent risk consulting firm. Protiviti\xc2\xae, Inc., has issued a number of\n    ERM-related publications and has been recognized by an independent research firm as a risk consulting services\n    leader. The Managing Director for Protiviti\xc2\xae, Inc., was also a member of the Project Advisory Council to COSO\n    during development of the ERM Framework.\n\x0cBACKGROUND\n\n   The Committee of Sponsoring Organizations of the Treadway Commission\n   (COSO) defines ERM as \xe2\x80\x9ca process, effected by an entity\xe2\x80\x99s board of\n   directors, management and other personnel, applied in strategy setting\n   and across the enterprise, designed to identify potential events that may\n   affect the entity, and manage risk to be within its risk appetite, to provide\n   reasonable assurance regarding the achievement of entity objectives.\xe2\x80\x9d\n\n\nCOSO\xe2\x80\x99s report, Enterprise Risk Management \xe2\x80\x93 Integrated Framework, (September 2004),\ndefines essential components, suggests a common language, and provides direction and guidance\nfor ERM. Notably, ERM requires an entity to take a \xe2\x80\x9cportfolio\xe2\x80\x9d view of risk that examines the\nentire organization, from the enterprise level, to a division or subsidiary, to the level of a single\nbusiness unit\xe2\x80\x99s processes. As shown in Figure 1, ERM consists of eight interrelated components,\nwhich are integral to the way management runs the enterprise. The components are linked and\nserve as criteria for determining whether ERM is effective.\n\nInternal control is encompassed within, and is        Figure 1: COSO ERM Framework\nan integral part of, ERM. ERM is broader\nthan internal control, expanding and\nelaborating on internal control to form a more\nrobust conceptualization focusing more fully\non risk.\n\nHistory of Internal Control and\nERM at the FDIC\nIn May 1996, the FDIC Board of Directors\n(FDIC Board) created the Office of Internal\nControl Management (OICM) to act as the\ncorporate oversight manager for risk\nmanagement and internal control. OICM\xe2\x80\x99s\nresponsibilities included developing and               Source: COSO ERM Integrated Framework, dated\nimplementing cost-effective programs to                September 2004\nevaluate and strengthen internal controls,\nestablishing guidelines and providing training related to internal controls, assisting program\nmanagers in identifying significant weaknesses and promoting timely and cost-effective\ncorrective action, and establishing guidelines for a standard visitation program to effectively\nassess the condition of significant FDIC activities.\n\nIn March 2004, the FDIC Chief Financial Officer (CFO) proposed that OICM\xe2\x80\x99s office name be\nchanged to OERM to better reflect industry risk management best practices and OICM\xe2\x80\x99s focus\nand initiatives at the time, particularly working with Information Technology (IT) security\ninitiatives and serving as risk managers for several high-profile IT projects. In May 2004, the\nprior Chairman and the FDIC Board approved changes to the FDIC Bylaws to reflect the name\nchange and revisions to the powers and duties of OICM.\n\n\n\n                                                  2\n\x0c    According to the FDIC Bylaws, the Director, OERM, is responsible for administering the\n    enterprise-wide risk management program that monitors and manages risk by maintaining\n    partnerships with FDIC divisions and offices, providing training, and addressing internal\n    control deficiencies. In addition to implementing a comprehensive ERM program, OERM is\n    responsible for facilitating the annual assurance statement process, conducting program\n    evaluations of the FDIC\xe2\x80\x99s major business lines, serving as a liaison to OIG and United States\n    Government Accountability Office (GAO) auditors, providing staff support to the FDIC Audit\n    Committee, and monitoring audit follow-up and resolution activities. OERM\xe2\x80\x99s ERM policy\n    (Circular 4010.3) states that the FDIC emphasizes guidance provided by COSO and references\n    the ERM Framework.\n\n    OERM\xe2\x80\x99s staffing consists of 13 employees, including a Director, an Assistant Director,\n    3 Senior Management Analysts (CG-15), 5 Senior Management Analysts (CG-14),\n    1 Management Analyst (CG-11), 1 Secretary, and 1 Student Intern. OERM\xe2\x80\x99s total budget for\n    2007 is about $2.2 million.\n\n    In addition, the FDIC has about 57 employees 2 assigned to divisional and office risk\n    management/internal review units that perform internal control-related work for their\n    respective division and office directors. These units may coordinate their efforts with OERM,\n    but do not report to OERM. Appendix II provides detailed information about each of the\n    division and office risk management/internal review units.\n\n    Legal and Regulatory Requirements\n    The Congress has long recognized the importance of strong internal control and enacted a\n    number of related laws and requirements, including the following:\n\n          \xe2\x80\xa2    Budget and Accounting Procedures Act of 1950 (BAPA), which required executive\n               agencies, excluding government corporations, to establish and maintain systems of\n               accounting and internal controls;\n          \xe2\x80\xa2    Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA), which amended the\n               Accounting and Auditing Act of 1950 (imbedded in BAPA) by requiring executive\n               agencies to establish a continuous process for internal control assessment and\n               improvement and to publicly report on the status of efforts by signing annual\n               statements of assurance regarding their internal controls and accounting system;\n          \xe2\x80\xa2    Chief Financial Officers Act of 1990 (CFO Act), which required government\n               corporations to prepare statements on internal accounting and administrative control\n               systems consistent with the corresponding requirements of the FMFIA;\n          \xe2\x80\xa2    Government Performance and Results Act of 1993 (GPRA), which required agencies,\n               including the FDIC, to set strategic and performance goals, and measure performance\n               toward the goals; and\n          \xe2\x80\xa2    Federal Financial Management Improvement Act of 1996 (FFMIA), which identified\n               internal control as an integral part of improving financial management systems. This\n               statute does not, however, apply to the FDIC.\n\n2\n    Some of these division and office employees have collateral duties beyond risk management.\n\n\n                                                         3\n\x0cThe FMFIA required the Comptroller General to establish internal control standards and the\nOffice of Management and Budget (OMB) to issue guidelines for agencies to follow in assessing\ninternal control. The Comptroller General issued Standards for Internal Control in the Federal\nGovernment in 1983, identifying five standards for internal control. In 1999, the Comptroller\nGeneral revised and reissued the internal control standards.\n\nOMB issued Circular A-123, Internal Control Systems, in October 1981 in anticipation of\nFMFIA becoming law. In December 2004, OMB released a revised Circular A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control, to provide updated internal control standards\nand new specific requirements for conducting management\xe2\x80\x99s assessment of the effectiveness of\ninternal control over financial reporting. The revision also emphasizes the need for agencies to\nintegrate and coordinate internal control assessments with other internal control-related activities\nand requires agencies to annually evaluate and report on the control and the financial\nmanagement systems that protect the integrity of federal programs. Additional requirements for\nfinancial management systems are contained in OMB Circular A-127, Financial Management\nSystems, which expands upon the notion of agency accounting systems per FMFIA.\n\nThe FDIC considers Circular A-123 as setting forth \xe2\x80\x9cbest practices\xe2\x80\x9d and has stated that, so long\nas the FDIC complies with the applicable FMFIA provisions on internal control, the Corporation\nwill have complied with Circular A-123.\n\n\n\n\n                                                 4\n\x0cEVALUATION RESULTS\n\nFDIC Committees and Groups that Contribute to Internal Risk Management\nThe FDIC has a number of internally-focused committees and groups that help to keep the FDIC\nBoard, Chairman, Audit Committee, and senior-most executives informed of management\noperations and internal risks facing the Corporation and aid them in their decision-making.\nTaken collectively, these committees and groups and associated reports and briefings provide a\ncomprehensive means for managing internal risk and establishing transparency.\n\nWe concluded that more could be done to institutionalize how these various entities interrelate\nand support ERM and to ensure the continuity of the Corporation\xe2\x80\x99s risk management efforts in\nthe event of changes in leadership and/or senior management. As discussed below, many of\nthese committees and groups are responsible for managing or monitoring specific internal\ncorporate operations or functions such as major capital investments, system development efforts,\nor human capital initiatives that have the potential to present risks to the Corporation. While\nmany of these committees have charters that specifically establish their purpose, membership,\nregular meetings, and reporting responsibilities, we did not see a clear articulation of how these\ncommittees and groups interact to support ERM in the Corporation. The FDIC\xe2\x80\x99s CFO indicated\nthat such interactions do occur and are understood by FDIC managers, but acknowledged that\nsuch interactions could be better documented.\n\nFigure 2 on the next page presents our understanding of the committees and groups involved in\nkeeping the FDIC Board, Chairman, Audit Committee, and senior FDIC executives, such as the\nChief Operating Officer (COO) and the CFO, aware of management operations and internal risks\nfacing the Corporation and aiding them in their decision-making. 3 A brief discussion of each\ncommittee or group follows the figure. Figure 2 is not exhaustive and there may be other groups\ninvolved in internal risk management. In addition, Figure 2 does not include the committees and\ngroups responsible for monitoring external risks facing the Corporation.\n\n\n\n\n3\n    We did not evaluate these committees or assess their activities in our review. Rather, through research, we\n    obtained an understanding of the general purpose and membership of the various committees.\n\n\n                                                           5\n\x0cFigure 2: Internally-Focused Committees and Groups that Contribute to Internal ERM\n\n                                          Chairman                                        Audit\n                                         COO & CFO                                      Committee\n\n\n     Internally-Focused Committees                        Office of Enterprise Risk\n     Operational\n     \xe2\x80\xa2 Operating Committee                                Management (OERM)\n     \xe2\x80\xa2 Corporate Investment Advisory Group\n     \xe2\x80\xa2 Savings Plan Committee                      Divisional Internal Control/Risk\n     \xe2\x80\xa2 Customer Advisory Committee                 Management Units\n                                                   \xe2\x80\xa2 DSC Internal Control and Review\n     Human Resource Related                          Section                               Office of\n     \xe2\x80\xa2 Human Resources Committee                   \xe2\x80\xa2 DRR Internal Review Section\n     \xe2\x80\xa2 Executive Review Board                                                              Inspector\n                                                   \xe2\x80\xa2 DIR Planning and Resource\n     \xe2\x80\xa2 Chairman\xe2\x80\x99s Diversity Advisory Council         Management Section\n                                                                                           General (OIG)\n     \xe2\x80\xa2 Diversity Steering Committee                \xe2\x80\xa2 Legal Division Internal Review\n     \xe2\x80\xa2 Alternative Dispute Resolution Steering       Group\n       Committee                                   \xe2\x80\xa2 DIT Audit and Internal Control\n                                                     Section                               Government\n     Information Technology Related                \xe2\x80\xa2 DOF Administration and Internal\n     \xe2\x80\xa2 Capital Investment Review Committee           Controls Section\n                                                                                           Accountability\n     \xe2\x80\xa2 Chief Information Officer Council           \xe2\x80\xa2 DOA Management Support                Office (GAO)\n     \xe2\x80\xa2 Project Management Office                     Section\n     \xe2\x80\xa2 Corporate Data Sharing Steering Committee   \xe2\x80\xa2 Other internal control resources\n     \xe2\x80\xa2 Information Technology Committee              within FDIC offices\n     \xe2\x80\xa2 Website Advisory Committee\n\n\nSource: OIG analysis based on interviews and review of Corporation documents.\n\nOperating Committee: Chaired by the COO, membership is comprised of the FDIC Chairman,\nVice Chairman, Deputies to the Chairman and Vice Chairman, and directors of all divisions and\noffices. This Committee, which is scheduled to meet biweekly, serves as a briefing forum to\nensure that Committee members are informed of issues concerning the Corporation.\n\nCorporate Investment Advisory Group: Chaired by the CFO, membership includes Division\nof Finance (DOF), Division of Insurance and Research (DIR), and Division of Resolutions and\nReceiverships (DRR) directors, who review cash flow projections for each FDIC fund and\nprovide advice to the CFO concerning (1) investment strategies in light of economic and market\nconditions, (2) appropriate levels of liquidity for each fund, and (3) purchase strategies for funds\nto be invested in Treasury securities. This Group meets quarterly.\n\nSavings Plan Committee: This Committee is chaired by the CFO and includes the Director,\nDIR; Deputy General Counsel (Corporate Operations); Associate Director, Human Resources\nBranch, Division of Administration (DOA); and a representative from the National Treasury\nEmployee\xe2\x80\x99s Union. The Committee considers issues related to the administration of the\nCorporation\xe2\x80\x99s 401(k) plan, including the performance of the plan\xe2\x80\x99s investment options.\n\n\n\n\n                                                      6\n\x0cCustomer Advisory Committee: Co-chaired by the DOA and DOF Directors and includes a\nsenior staff member from each division and office. This committee considers administrative\nmatters of interest to FDIC management.\n\nHuman Resources Committee: Includes executives from FDIC Divisions and focuses on\ndeveloping and evaluating human capital strategies with corporate-wide impact. The FDIC\nestablished this Committee to integrate strategic human capital planning into the Corporation\xe2\x80\x99s\nplanning, budgeting, and investment processes. This Committee meets weekly.\n\nExecutive Review Board: Through this Board, the COO, CFO, and other members who might\nbe appointed make recommendations to the FDIC Chairman on all matters affecting managers\nand executives, including compensation, benefits, incentives, and performance management.\n\nChairman\xe2\x80\x99s Diversity Advisory Council: Through this Council, individuals throughout the\nFDIC promote and support a diverse environment, facilitate employee communication with\nmanagement regarding diversity concerns, and provide input to the Director, Office of Diversity\nand Economic Opportunity (ODEO), on recommendations for changes in policies and\nprocedures that foster diversity objectives.\n\nDiversity Steering Committee: Chaired by the Director, ODEO, membership consists of\ndeputy directors for Division of Information Technology (DIT) and Division of Supervision and\nConsumer Protection (DSC) and the Deputy General Counsel, Legal Division. This Committee\npromotes and supports diversity initiatives.\n\nAlternative Dispute Resolution Steering Committee: The Committee is comprised of\nrepresentatives from every office and division designated to oversee corporate-wide alternative\ndispute resolution (ADR) policies, procedures, and programs and to assist in the design and\nimplementation of new ADR processes. This Committee meets quarterly and also prepares for\nthe FDIC Board an annual report on the uses of ADR throughout the Corporation.\n\nCapital Investment Review Committee (CIRC): Co-chaired by the CFO and Chief\nInformation Officer (CIO), membership consists of the Deputy to the Chairman, directors for\nDIR, DSC, DRR, DOF, and DOA, and the General Counsel. The committee meets quarterly and\nprovides a systematic management review process to support budgeting for the Corporation\xe2\x80\x99s\ncapital investments (defined as initiatives with a total capital outlay in excess of $3 million) and\nto ensure regular monitoring and proper management of these investments.\n\nChief Information Officer Council: Chaired by the CIO, members include executive\nrepresentatives from DSC, DRR, DIR, DOF, DOA, Legal, DIT, and Corporate University (CU)\nas well as a representative of the COO. This Council, which normally meets monthly, advises\nthe CIO on all aspects of adoption and use of information technology at the FDIC and supports\nthe CIRC in its management and monitoring of the limited set of major IT investments.\n\nProject Management Office: This office was established as a result of DIT\xe2\x80\x99s 2005\nTransformation effort and resides within DIT\xe2\x80\x99s Business Administration Branch. The office\n\n\n\n\n                                                 7\n\x0cprovides a number of critical functions to support the selection, management, oversight and\nanalysis of a broad inventory of IT projects.\n\nCorporate Data Sharing Steering Committee: Membership is comprised of representatives\nfrom all divisions, the COO\xe2\x80\x99s office, and the CFO\xe2\x80\x99s office. This Committee sets the strategic\ndirection for corporate data planning, management, and use.\n\nInformation Technology Committee: Chaired by the Director, DIT, this Committee includes\nmembers from the CFO\xe2\x80\x99s Office and all divisions and reviews new IT initiatives and makes\nrecommendations concerning the new initiatives to the CIO Council.\n\nWebsite Advisory Committee: This Committee includes representatives from OPA, the Legal\nDivision, DIR, DSC, DRR, DIT, and the COO\xe2\x80\x99s Office, and advises the Chief Web Officer on\nissues and corporate policies regarding the FDIC\xe2\x80\x99s Web page.\n\nAudit Committee: This Committee is chaired by the Vice Chairman and includes the Director,\nOffice of Thrift Supervision, and the Deputy to the FDIC Chairman. The FDIC\xe2\x80\x99s formal rules\nindicate that the Audit Committee is responsible for reviewing results of completed GAO and\nOIG audits and evaluations, requesting audit follow-up, if necessary, and submitting\nrecommendations with respect to the audit reports to the Chairman\xe2\x80\x99s office and the FDIC Board.\n\nOERM: Serves as liaison to the OIG and GAO staff working on audits of FDIC operations,\nprovides staff support to the FDIC Audit Committee and select programs managed by other\nFDIC organizations, and coordinates preparation of the FDIC\xe2\x80\x99s Annual Performance and\nAccountability Report (Annual Report).\n\nGAO and OIG issue audit and evaluation reports and present the results of their reviews of\nFDIC programs, operations, and functions to the Audit Committee. In addition to program\noperation and functional audits, the GAO annually audits the FDIC\xe2\x80\x99s financial statements. The\nOIG\xe2\x80\x99s business plan includes an annual evaluation of the FDIC\xe2\x80\x99s Information Security Program,\nas required by the Federal Information Security Management Act (FISMA).\n\nDivision and Office internal review units have their own internal risk management programs\nwith activities such as regional and office reviews, annual risk assessments, internal control\nreviews, risk management reviews, and IT and business process reviews. Appendix II contains\ndetails on the resources and types of risk management activities for the divisions and offices.\n\nSuggestion for Management\n\nAs discussed, the FDIC has a number of internally-focused committees and groups that\ncollectively contribute to internal ERM and good corporate governance. More could be done,\nhowever, to institutionalize how these entities interact to manage internal risks facing the\nCorporation and for the purpose of preserving continuity in the event of senior management\nchanges. Accordingly, we suggest that the Chairman\xe2\x80\x99s Office, in coordination with the COO and\nthe CFO, articulate and document how the various committees and groups interrelate in\nmanaging internal risk.\n\n\n\n                                                8\n\x0cComparison of the FDIC\xe2\x80\x99s Overall Internal ERM Efforts to the\nCOSO ERM Framework\nThe FDIC has incorporated elements of several of the eight interrelated components outlined in\nCOSO\xe2\x80\x99s ERM Framework in the Corporation\xe2\x80\x99s overall internal risk management activities.\nSpecifically, the FDIC\xe2\x80\x99s approach to risk management includes many of the principles\nencompassed in the Internal Environment, Objective Setting, and Control Activities components\nof COSO. However, we identified variances between the FDIC\xe2\x80\x99s existing ERM program and the\nCOSO ERM Framework and concluded that opportunities exist for FDIC to make additional\nenhancements to its ERM program by incorporating key principles of the COSO ERM\nFramework.\n\n\n\n  COSO ERM     Internal Environment:\n  Framework    Encompasses the tone of an organization, influencing the risk\n               consciousness of its people, and is the basis for all other components\n               of enterprise risk management providing discipline and structure.\n\nAccording to COSO, the internal environment influences how strategies and objectives are\nestablished; business activities are structured; and risks are identified, assessed, and acted upon.\nThis component influences the design and functioning of control activities, information and\ncommunication systems, and monitoring activities. Internal environment factors include:\n\n   \xe2\x80\xa2   an entity\xe2\x80\x99s risk management philosophy;\n   \xe2\x80\xa2   its risk appetite;\n   \xe2\x80\xa2   oversight by the board of directors;\n   \xe2\x80\xa2   the integrity, ethical values, and competence of the entity\xe2\x80\x99s people;\n   \xe2\x80\xa2   how management assigns authority and responsibility; and\n   \xe2\x80\xa2   how management organizes and develops its people.\n\nInternal Environment Factors at the FDIC\n\nThe FDIC practices or possesses many of the internal environment factors in everyday\noperations of the Corporation. For example:\n\n   \xe2\x80\xa2   The FDIC has published mission statements, a corporate vision statement, and core\n       values.\n   \xe2\x80\xa2   Members of the FDIC Board participate in monthly Board Meetings and are engaged in\n       FDIC operations through management reports and periodic meetings with FDIC\n       executives.\n   \xe2\x80\xa2   The FDIC Board has established committees to manage certain functions, and the FDIC\n       has established a number of operational committees to evaluate risks and manage\n       projects.\n   \xe2\x80\xa2   The FDIC Board has also delegated authority to committees and FDIC executives to\n       carry out corporate functions.\n\n\n                                                  9\n\x0c      \xe2\x80\xa2   The FDIC holds its executives accountable for achieving corporate goals and objectives\n          and has tied employee pay to performance.\n      \xe2\x80\xa2   FDIC employees are required to follow government-wide standards of ethical conduct\n          and supplemental standards pertaining to FDIC employees.\n      \xe2\x80\xa2   The FDIC established the CU to coordinate and facilitate high-quality, cost-effective\n          learning and development consistent with corporate objectives, and the FDIC requires\n          employees to take annual awareness training related to information security and privacy.\n\nOpportunities to Enhance the FDIC\xe2\x80\x99s Internal Environment\n\nThe FDIC may benefit from more explicitly addressing two factors in COSO\xe2\x80\x99s internal\nenvironment component, namely the FDIC\xe2\x80\x99s risk management philosophy and risk appetite.\nAccording to COSO, an entity\xe2\x80\x99s risk management philosophy:\n\n      \xe2\x80\xa2   is the set of shared beliefs and attitudes characterizing how the entity considers risk in\n          everything it does, from strategy development and implementation to its day-to-day\n          activities;\n      \xe2\x80\xa2   reflects the entity\xe2\x80\x99s values influencing its culture and operating style; and\n      \xe2\x80\xa2   affects how enterprise risk management components are applied, including how risks are\n          identified, the kinds of risks accepted, and how they are managed.\n\nAn entity\xe2\x80\x99s risk management philosophy is reflected in virtually everything management does in\noperating the entity and is captured in policy statements, oral and written communications, and\ndecision making. COSO states that, when the risk management philosophy is well developed,\nunderstood, and embraced by an entity\xe2\x80\x99s personnel, the entity is positioned to effectively\nrecognize and manage risk. Otherwise, there can be uneven applications of enterprise risk\nmanagement across business units, functions, or departments.\n\nRisk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit\nof value. It reflects the risk management philosophy and, in turn, influences culture and\noperating style. An entity\xe2\x80\x99s risk appetite is considered in strategy setting; guides resource\nallocation; and aligns organization, people, processes, and infrastructure. Entities can consider\nrisk appetite (1) qualitatively, with categories of high, moderate, or low or (2) quantitatively,\nreflecting and balancing goals for growth, return, and risk. Protiviti\xc2\xae, Inc. reported that, in\ndefining enterprise risk management, COSO set a standard for management to manage risk\nwithin the entity\xe2\x80\x99s risk appetite, as understood and agreed by the board of directors, and that\nmanagement considers risk appetite when defining objectives, formulating strategy, allocating\nresources, setting risk tolerances, 4 and developing risk management capabilities.\n\nIn regard to risk appetite, the Director of OERM issued a November 2005 memorandum, Update\non ERM in the FDIC, to division and office directors that discussed the link between \xe2\x80\x9c\xe2\x80\xa6risk\nappetite and reasonable assurance that the Corporation is in substantial compliance with any\ngiven requirement.\xe2\x80\x9d The memorandum stated that:\n4\n    COSO defines risk tolerance, a term often used interchangeably with risk threshold or risk limit, as the acceptable\n    level of variation relative to achievement of a specific objective, and often best measured in the same units as\n    those used to measure the related objective.\n\n\n                                                           10\n\x0c       With respect to \xe2\x80\x9crisk appetite\xe2\x80\x9d, I believe it is fair to characterize the Corporation\n       as being primarily a risk-averse organization, relative to both our external and\n       internal responsibilities. Clearly, this is a positive characteristic, given that we\n       should be good stewards and strive to lead by example relative to both our peer\n       group and the institutions we supervise. At the same time, however, managing to\n       perfection or maintaining a zero-tolerance working environment on all controls is\n       usually not a preferred course of action and could be counter-productive,\n       particularly relative to employee morale and our overall cost-effectiveness.\n\nWe do note that elements of the FDIC\xe2\x80\x99s risk appetite are driven by law or regulation, such as the\nsafety and soundness examination schedule, minimum institution capital levels, and limitations\non investment options for the Deposit Insurance Fund. In other cases, the FDIC has imposed\nthresholds or limits, such as Maximum Efficiency, Risk-focused, Institution Targeted\nexamination parameters or capital investment management oversight thresholds, which serve to\nestablish risk appetite for discrete processes or functions.\n\nFurther, the FDIC Chairman has given speeches that describe the FDIC\xe2\x80\x99s risk appetite in regard\nto external matters in the banking industry such as subprime and predatory lending, mortgage\nforeclosures, and capital requirements. Also in reference to external risk responsibilities, the\nFDIC issued its second quarter 2007 Letter to Stakeholders in August 2007, in which the\nCorporation reported its continued focus on monitoring the mortgage market and any negative\nimpacts on borrowers and insured institutions, bringing unbanked and underbanked populations\ninto the financial mainstream, and working with other regulators to issue final rules regarding\ncapital requirements for banks.\n\nHowever, beyond the above-mentioned memorandum from the Director, OERM, we did not see\nevidence of a formally articulated risk philosophy or risk appetite for the Corporation. As\ndiscussed previously, COSO notes this articulation is important in ensuring that an entity is\npositioned to effectively recognize and manage risk, define objectives, and allocate resources.\n\n\n\n\n                                                11\n\x0c                 Objective Setting:\n    COSO ERM     Objectives must exist before management can identify potential events\n    Framework    affecting their achievement. ERM ensures that management has in\n                 place a process to set objectives and that the chosen objectives\n                 support and align with the entity\xe2\x80\x99s mission and are consistent with its\n                 risk appetite.\n\nCOSO states that objectives are set at the strategic level, establishing a basis for operational,\nreporting, and compliance objectives. Operational objectives, in particular, vary based on\nmanagement\xe2\x80\x99s choices about structure, performance, and risk and reflect preferences, judgment,\nand management style. Effective ERM does not dictate which objectives management should\nchoose, but does help to ensure that management has a process that aligns strategic objectives\nwith the entity\xe2\x80\x99s mission and that ensures the chosen strategic and related objectives are\nconsistent with the entity\xe2\x80\x99s risk appetite.\n\nObjective Setting at the FDIC\n\nConsistent with GPRA and related statutes, the FDIC defines its strategies and business\nobjectives through the issuance of a strategic plan, an annual performance plan (APP), and a\nperformance and accountability report (Annual Report). The FDIC also has implemented\nadditional performance measurement processes in the form of Corporate Performance Objectives\n(CPOs) and balanced scorecards, as well as other performance metrics related to individual\ncontracts and system development efforts. These measures cascade throughout the entity,\ndivisional, and unit levels of the Corporation.\n\nWe recently issued an evaluation report 5 that concluded the FDIC has developed and\nimplemented multiple performance measurement processes and approaches that serve various\nstakeholder needs and that FDIC managers use to varying levels to manage and monitor program\nperformance. Collectively, we found that the FDIC uses performance measures to make\nmanagement decisions to improve programs and results. We also found that the FDIC assigns\nresponsibility for meeting specific performance objectives and completing corporate initiatives to\nindividual agency managers.\n\nOpportunities to Align Objectives with Risk Appetite\n\nCOSO notes that, as part of ERM, management not only selects objectives and considers how\nthey support the entity\xe2\x80\x99s mission, but also ensures that they align with the entity\xe2\x80\x99s risk appetite.\nCOSO also discusses establishing risk tolerances, which are acceptable levels of variation in the\nachievement of objectives. Entities use performance measures to ensure that actual results are\nwithin established risk tolerances. As discussed above, the FDIC has mechanisms in place for\nsetting objectives and aligning them with its mission, and uses performance measurements to\nimprove programs and results. However, with an established risk appetite, FDIC managers may\nbe able to more readily establish objectives and measurements that are in keeping with the\noverall risk philosophy of the Board, Chairman, and other senior executives.\n5\n    Evaluation of the FDIC\xe2\x80\x99s Use of Performance Measures (EVAL-07-002), dated May 2007.\n\n\n                                                     12\n\x0c              Event Identification:\n COSO ERM\n Framework    Management identifies potential events that, if they occur, will affect the\n              entity, and determines whether they represent opportunities or whether\n              they might adversely affect the entity\xe2\x80\x99s ability to successfully implement\n              strategy and achieve objectives.\n\nAccording to COSO, an event is an incident or occurrence emanating from internal or external\nsources that affects implementation of strategy or achievement of objectives. Events with\nnegative impact represent risks, which require management\xe2\x80\x99s assessment and response. Events\nwith positive impact represent opportunities, which management channels back into the strategy\nand objective-setting processes. When identifying events, management considers a variety of\ninternal and external factors that may give rise to risks and opportunities, in the context of the\nfull scope of the organization. Examples of external factors are economic, natural environment,\npolitical, and social. Examples of internal factors include infrastructure, personnel, process, and\ntechnology.\n\nEvent Identification Factors at the FDIC\n\nAs discussed later, the FDIC identifies potential external events through the Corporation\xe2\x80\x99s\nexternal risk management activities performed principally through three divisions \xe2\x80\x93 DSC, DIR,\nand DRR \xe2\x80\x93 and the external risk committees identified later in Figure 4. In addition, the FDIC\xe2\x80\x99s\n2007 Annual Performance Plan includes a discussion of external factors, such as the economy\xe2\x80\x99s\nperformance at the national, regional, and local levels, which have an impact on the banking\nindustry and the FDIC.\n\nIn regard to the FDIC\xe2\x80\x99s internal ERM program, Circular 4010.3 states that each FDIC manager\nshould (1) identify key activities within his or her area of responsibility that contribute to the\naccomplishment of the division/office and/or corporate mission and (2) seek to determine what\nimpediments (risks) might threaten the ability to achieve success. The policy notes that key\nactivities could be tied to CPOs or initiatives defined in the program\xe2\x80\x99s balanced scorecard.\n\nDuring the 2006 assurance statement process, OERM also requested divisions and offices to\nidentify second-tier issues\xe2\x80\x94areas of concern that did not rise to the level of a material\nweakness\xe2\x80\x94in their assurance statements. The purpose of this exercise is to bring to light issues\nthat previously may not have received attention because the focus of the assurance statement\nprocess was geared toward disclosing material weaknesses. Collectively, FDIC divisions and\noffices identified more than 60 issues. Examples of second-tier issues reported included topics\nsuch as Deposit Insurance Reform, the Contract Electronic File System, and curbing unfair and\ndeceptive (lending) practices. OERM compiled the second-tier issues into a single list organized\nby division and office and provided the list to the Audit Committee in early 2007.\n\n\n\n\n                                                13\n\x0cOpportunities to Enhance the FDIC\xe2\x80\x99s Event Identification\n\nCOSO notes that event identification needs to be robust, because it forms the basis for the risk\nassessment and risk response components. COSO also identifies examples of techniques and\ntools that may be used to facilitate event identification, such as:\n\n      \xe2\x80\xa2    Event inventories: which are listings of potential events common to a specific industry or\n           functional area,\n      \xe2\x80\xa2    Facilitated workshops and interviews: usually of cross-functional teams regarding events\n           that may affect achievement of entity or unit objectives,\n      \xe2\x80\xa2    Process flow analysis: which involves mapping processes to identify potential events, and\n      \xe2\x80\xa2    Loss event data tracking: which uses relevant data from past events to predict future\n           occurrences.\n\nCOSO also discusses the importance of identifying interdependencies between events,\ncategorizing potential events horizontally across an entity and vertically within operating units,\nand distinguishing events as either risks or opportunities. Doing so helps management develop\nan understanding of relationships between events, and provides information for assessing risks.\n\nAlthough Circular 4010.3 provides high-level policy guidance for identifying key activities and\nassociated risks, the Circular does not provide specific guidance for event identification, such as\ndescribing tools and techniques similar to those referenced by COSO above. Further, we\nconfirmed that OERM has not issued specific guidance regarding the manner in which divisions\nand offices should identify events that could affect the achievement of strategic goals and\nobjectives. We observed that divisions and offices conduct event identification processes to\nvarying levels and degrees. For example:\n\n      \xe2\x80\xa2    DIT is in the process of implementing the Control Objectives for Information and Related\n           Technology (COBIT\xc2\xa9) framework, an international IT controls and governance standard,\n           which includes event identification efforts related to specific IT processes. DIT aligned\n           its Accountability Units (AU) 6 with the 34 COBIT\xc2\xa9 IT business processes, one of which\n           is to assess and manage IT risks. For this process, DIT prepared a management control\n           plan for 2007 and identified and ranked IT risks.\n      \xe2\x80\xa2    The FDIC\xe2\x80\x99s Legal Division meets annually with appropriate managers to identify new\n           potential risks pertaining to individual AUs.\n      \xe2\x80\xa2    DRR\xe2\x80\x99s risk management program is integrated with the division\xe2\x80\x99s annual planning cycle,\n           and DRR uses its strategic plan to identify risk areas during the fourth quarter of each\n           year to determine areas on which to focus internal review efforts for the upcoming year.\n      \xe2\x80\xa2    DSC identifies risks annually based on and aligned with corporate initiatives.\n      \xe2\x80\xa2    DOA identified eight functional areas for inclusion in its internal review program through\n           consideration of emerging trends, consultation with OERM officials, known areas of high\n           visibility and perceived risk, audit conditions, and DOA\xe2\x80\x99s judgment.\n\n\n6\n    An accountability unit is an organization\xe2\x80\x99s programs, functions or operations divided into meaningful units of\n    appropriate size or nature to ensure an effective evaluation of internal accounting and administrative controls.\n\n\n                                                           14\n\x0c    \xe2\x80\xa2   DOF identified risks within the management control plans 7 developed for each of its\n        accountability units.\n\nCOSO also stresses the importance of linking events and objectives, that is, identifying events\nthat could prevent the achievement of objectives. In this regard, we interviewed officials from\nthe Office of the Comptroller of the Currency (OCC) about the OCC\xe2\x80\x99s Enterprise Governance\nProgram. 8 At the OCC, Enterprise Governance staff is responsible for facilitating the OCC\nstrategic planning process. OCC executives hold an annual executive conference where\nexecutives identify strategic goals and objectives for the coming year. OCC executives also\nidentify and assess risks associated with achieving strategic goals and objectives, and risk\ntolerances. Enterprise Governance staff document the results of the strategic planning and risk\nidentification conference in a Strategic Risk Management Plan. An OCC Executive Committee\nmonitors the plan during the year and meets quarterly to discuss plan status.\n\nFDIC executives also hold an annual planning conference to develop CPOs and annual\nperformance goals for the coming year, and we have observed that FDIC executives identify and\ndiscuss potential risks to achieving corporate objectives. However, this process is not as formal\nor well-documented as the OCC\xe2\x80\x99s approach or as closely coordinated with the ERM program.\n\n\n\n\n7\n   A management control plan represents a plan of scheduled internal control reviews based on the accountability\n   unit\xe2\x80\x99s risk assessment.\n8\n  The Comptroller of the Currency established the Enterprise Governance unit, which reports to OCC\xe2\x80\x99s Chief of\n   Staff and Public Affairs, to support the OCC\xe2\x80\x99s strategic planning, risk management, quality management,\n   assurance testing, and business process improvement efforts.\n\n\n                                                        15\n\x0c               Risk Assessment:\n COSO ERM\n Framework     Identified risks are analyzed in order to form a basis for determining how\n               they should be managed. Risks are associated with objectives that may be\n               affected. Risks are assessed on both an inherent and a residual basis,\n               with the assessment considering both risk likelihood and impact.\n\nCOSO notes that a risk assessment allows an entity to consider the extent to which potential events\nhave an impact on the achievement of objectives. Management assesses events from two\nperspectives - likelihood and impact - and normally uses a combination of qualitative and\nquantitative methods. The positive and negative impacts of potential events should be examined,\nindividually or by category, across the entity. Risks are assessed on both an inherent and a residual\nbasis. Inherent risk is the risk to an entity in the absence of any actions management might take to\nalter either the risk\xe2\x80\x99s likelihood or impact. Residual risk is the risk that remains after management\xe2\x80\x99s\nresponse to the risk.\n\nThe COSO ERM Framework notes that the risk assessment component is a continuous and iterative\ninterplay of actions that take place throughout the entity. While managers responsible for business\nunit, function, process, or other activities develop a composite assessment of risk for individual\nunits, entity-level management should consider risk from a \xe2\x80\x9cportfolio\xe2\x80\x9d perspective.\n\nRisk Assessment Factors at the FDIC\n\nThe FDIC\xe2\x80\x99s internal risk assessment activities are reflected in the following:\n\n   \xe2\x80\xa2   Circular 4010.3 includes the concept of identifying and analyzing exposure to risks from\n       both external and internal sources, and cites as policy that management should evaluate\n       the risks identified for key activities in terms of both the likelihood of occurrence and the\n       potential impact. The circular offers OERM\xe2\x80\x99s assistance to divisions and offices in\n       regard to such evaluations.\n\n   \xe2\x80\xa2   OERM\xe2\x80\x99s guidance for assurance statements highlights the concept of risk assessment\n       being a continuous interplay of actions in an organization by stating that the primary\n       basis for providing assurance on issues should be management\xe2\x80\x99s judgment based on\n       knowledge gained from the daily operation of programs and systems and supplemented\n       by results of internal reviews, audits, evaluations, and similar activities.\n\n   \xe2\x80\xa2   OERM issued OERM Risk Manager Guidelines in 2005 for OERM staff who may be\n       appointed to serve as risk managers on major IT projects. The guidelines include a\n       discussion of risk assessment techniques, including assessing probability and impact.\n\n   \xe2\x80\xa2   The FDIC\xe2\x80\x99s Legal Division, OERM, and CU developed enterprise risk management\n       training which was presented to Legal Division management in July and October 2006.\n       The training included a discussion of using qualitative techniques in risk assessments\n       through which the impact of risk is portrayed as high, medium, or low, and the likelihood\n       of occurrence is demonstrated as significant, moderate, or low.\n\n\n                                                  16\n\x0cOpportunities to Enhance the FDIC\xe2\x80\x99s Risk Assessments\n\nFDIC Circular 4010.3 discusses the likelihood and impact of risk in the context of policy, but the\ncircular does not indicate how risk assessments should be performed. OERM has not issued\nimplementing procedures to specify how divisions and offices should be conducting risk\nassessments. Instead, Circular 4010.3 assigns responsibility for each division and office to\nestablish its own risk assessment technique. Further, Circular 4010.3 focuses on division and\noffice risk assessments for their respective organizations and does not address the principle of\nidentifying and assessing risks that are common across the Corporation.\n\nIn this regard, we identified differences regarding how divisions and offices conducted risk\nassessment activities. Moreover, one division and one office representative expressed a desire\nfor guidance from OERM regarding conducting risk assessments.\n\nThe COSO ERM Framework states that an entity need not use common assessment techniques\nacross all business units and adds that the choice of techniques should reflect the need for\nprecision and the culture of the business unit. However, COSO also states that although different\nmethods may be used, they should provide sufficient consistency to facilitate the assessment of\nrisks across the entity. Consistency would also facilitate developing an entity-wide risk\nportfolio. Finally, COSO notes that the time horizon used to assess risk should be consistent\nwith the time horizon of the related strategy. Risk assessments may be:\n\n   \xe2\x80\xa2   qualitative\xe2\x80\x94such as risk rankings, risk maps, and risk questionnaires, or\n   \xe2\x80\xa2   quantitative\xe2\x80\x94such as probability-based techniques, stress testing, and scenario analyses.\n\nAs discussed earlier, OERM has requested divisions and offices to identify second-tier issues,\nwhich represents an improvement in the risk assessment process. However, OERM has not\nprovided implementing guidance for prioritizing or assessing risk associated with second-tier\nissues, and we saw limited evidence that OERM or divisions and offices took steps to prioritize\nor perform risk assessments of second-tier issues. OERM\xe2\x80\x99s predecessor organization, the OICM,\nissued the FDIC Internal Control and Risk Management Manual in 1998, which included\nguidance for performing risk assessments and risk assessment questionnaires for management\xe2\x80\x99s\nuse. As discussed in Appendix II, some FDIC organizations are still using some of the risk\nassessment techniques in the manual for their respective operations.\n\n\n\n\n                                               17\n\x0c    COSO ERM      Risk Response:\n    Framework     Personnel identify and evaluate possible responses to risks, which include\n                  avoiding, accepting, reducing, and sharing risk. Management selects a set\n                  of actions to align risks with the entity\xe2\x80\x99s risk tolerances and risk appetite.\n\nCOSO provides that, having assessed relevant risks, management determines how it will respond.\nIn considering its response, management assesses the effect on risk likelihood and impact, as well\nas costs and benefits, selecting a response that brings residual risk within desired risk tolerances.\nManagement identifies any opportunities that might be available and takes an entity-wide view of\nrisk, determining whether overall residual risk is within the entity\xe2\x80\x99s risk appetite.\n\nRisk Response Factors at the FDIC\n\nCircular 4010.3 provides possible risk mitigation strategies, including accepting a perceived low\nlevel of risk, developing additional controls, or instituting a process of independent testing to\nprovide greater assurance that risks are mitigated to the extent necessary. In addition, in its\nguidance for the 2007 assurance statement process, OERM requested that divisions and offices\nprovide a brief summary of any actions taken during 2007 to address second-tier issues identified\nduring the 2006 assurance statement process.\n\nWe identified a good example where the FDIC identified and assessed risks, and developed\nmitigation strategies. The FDIC\xe2\x80\x99s Deposit Insurance Reform Executive Risk Management\nCommittee prepared a proposed list of risks associated with deposit insurance reform activities,\ntitled, DI Reform \xe2\x80\x93 Risks Managed by DIRMT. The listing included a title and description of\nidentified risks, a numerical ranking of the magnitude of the risk, and control strategies for each\nrisk to either mitigate the risk or develop contingency plans to address the risk. The listing\neffectively documented the risk response strategy and assigned a risk owner for each risk.\n\nOpportunities to Enhance the FDIC\xe2\x80\x99s Risk Response\n\nOERM could do more in this area by providing guidance to divisions and offices on how they\nshould respond to identified risks (such as the second-tier issues) and to provide training related\nto the various types of risk responses (avoiding, reducing, sharing, accepting) and the concept of\nresidual risk. 9\n\nWe noted that OERM\xe2\x80\x99s guidance for assurance statements includes a statement that the non-\nmaterial challenges reported for the year should be the primary (but not exclusive) basis for\nreview initiatives planned by the respective division or office for the upcoming year. However,\nwe did not see evidence that OERM evaluates the second-tier issues for commonality or\naggregate effect across the Corporation. Taking such an enterprise-wide view may reveal that\nalthough business unit risks may be within the risk tolerances of the individual units, aggregate\nrisks might exceed the risk appetite of the entity as a whole.\n9\n    COSO states that, in assessing risk, management considers both inherent and residual risk. Inherent risk is the\n    risk to an entity in the absence of any actions management might take to alter either the risk\xe2\x80\x99s likelihood or\n    impact. Residual risk is the risk that remains after management\xe2\x80\x99s response to the risk.\n\n\n                                                           18\n\x0c              Control Activities:\n COSO ERM     Control Activities are the policies and procedures that help ensure that\n Framework    management\xe2\x80\x99s risk responses are carried out and objectives are achieved.\n              Control activities may be categorized based on the nature of the entity\xe2\x80\x99s\n              objectives to which they relate: strategic, operations, reporting, and\n              compliance.\n\nAccording to COSO, control activities occur throughout the organization at all levels and in all\nfunctions. They include a range of activities as diverse as approvals, authorizations,\nverifications, reconciliations, reviews of operating performance, and segregation of duties.\n\nControl Activities at the FDIC\n\nThe FDIC\xe2\x80\x99s risk management program identifies the internal control standard related to control\nactivities stating that management shall develop and implement policies, procedures, techniques,\nand mechanisms ensuring that management directives are carried out. Some key control\nactivities cited in Circular 4010.3 include:\n\n   \xe2\x80\xa2   Top level review of actual performance.\n   \xe2\x80\xa2   Management reviews at the program activity level.\n   \xe2\x80\xa2   Management of human capital.\n   \xe2\x80\xa2   Controls over information processing.\n   \xe2\x80\xa2   Physical control over valuable assets.\n   \xe2\x80\xa2   Establishment and review of performance measures and indicators.\n   \xe2\x80\xa2   Segregation of duties.\n   \xe2\x80\xa2   Proper execution of transactions and events.\n   \xe2\x80\xa2   Accurate and timely recording of transactions and events.\n   \xe2\x80\xa2   Access restrictions to and accountability for resources and records.\n   \xe2\x80\xa2   Appropriate documentation of transactions and internal controls.\n\nIn addition, the FDIC has established scorecard initiatives in some divisions, and other control\nactivities are reflected in corporate documents such as the FDIC Bylaws, DSC regional director\nmemoranda, and various manuals and circulars.\n\nOERM\xe2\x80\x99s guidance for preparing annual assurance statements requires divisions and offices to\nprovide assurance on control activity-related areas of interest. For example, the 2006 assurance\nstatement guidance requested that divisions and offices provide assurance on a number of items,\nincluding that:\n\n   \xe2\x80\xa2   procedures were fully documented for all key activities,\n   \xe2\x80\xa2   systems security was in substantial compliance with all relevant requirements,\n   \xe2\x80\xa2   continuity of operations planning in all critical areas was sufficient to reduce risk to\n       reasonable levels in the event of a disaster, and\n\n\n\n\n                                                 19\n\x0c   \xe2\x80\xa2   sufficient actions had been taken to minimize any negative impact associated with\n       downsizing.\n\nOpportunities to Align Control Activities with Risk Responses\n\nThe COSO ERM Framework notes that control activities are an important part of the process by\nwhich an entity strives to achieve its business objectives. While Circular 4010.3 identifies key\ncontrol activities in the context of the GAO\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment, as is appropriate, the Circular does not address control activities in the context of\nERM. In this regard, OERM could provide additional guidance or assistance to divisions and\noffices in:\n\n   \xe2\x80\xa2   consistently linking corporate objectives to risk responses and to control activities;\n   \xe2\x80\xa2   ensuring that control activities are designed to help ensure that strategic, operational,\n       reporting, and compliance objectives are met; and\n   \xe2\x80\xa2   evaluating control activities from a corporate-wide, or portfolio, perspective.\n\n\n\n\n                                                20\n\x0c              Information and Communication:\n COSO ERM\n Framework    Relevant information is identified, captured, and communicated in a form\n              and timeframe that enable people to carry out their responsibilities.\n              Effective communication occurs in a broader sense, flowing down, across,\n              and up the entity.\n\nCOSO states that information is needed at all levels of an organization to identify, assess, and\nrespond to risks, and to otherwise run the entity and achieve its objectives. Information systems\nmust provide information to appropriate personnel so that they can carry out their operating,\nreporting, and compliance responsibilities. But communication also must take place in a broader\nsense, dealing with expectations, responsibilities of individuals and groups, and other important\nmatters. Further, personnel must have a means of communicating significant information\nupstream. COSO also provides that every enterprise identifies and captures a wide range of\ninformation relating to external as well as internal events and activities, relevant to managing the\nentity. Technology plays a critical role in enabling the flow of information in an entity,\nincluding information directly relevant to enterprise risk management.\n\nProtiviti\xc2\xae, Inc. notes that reporting is integral to the information and communication ERM\ncomponent because it drives transparency about risk and risk management throughout the\norganization to enable risk assessment, execution of risk responses and control activities, and\nmonitoring of performance.\n\nInformation and Communication Factors at the FDIC\n\nThe FDIC communicates information through a number of periodic reports for senior corporate\nmanagers pertaining to internal FDIC matters, such as:\n\n   \xe2\x80\xa2   Quarterly CIRC reports on the status of capital investment projects (such as IT system\n       development efforts);\n   \xe2\x80\xa2   Semiannual Contract Assessment Reports that provide cost, milestone, and performance\n       information on contracts valued at $5 million or greater;\n   \xe2\x80\xa2   Quarterly Emergency Preparedness Reports;\n   \xe2\x80\xa2   Quarterly CFO reports to the Board highlighting financial activities and results; and\n   \xe2\x80\xa2   Quarterly Performance Summary on the status of CPOs and Annual Performance Goal\n       exception reporting.\n\nThe Chairman\xe2\x80\x99s office has taken steps to make sure that the Chairman and the FDIC Board\nMembers receive appropriate management reports in a format and level of detail that enhances\nunderstanding. The Chairman\xe2\x80\x99s office is developing a secure electronic repository to house\nFDIC Board and Chairman-level reports to improve management report delivery and availability.\nWith regard to providing information to employees, the FDIC communicates information to staff\nin various ways, including:\n\n\n\n\n                                                21\n\x0c   \xe2\x80\xa2   Posting on the FDIC\xe2\x80\x99s internal Web site performance information such as the CPOs,\n       summary of year-to-date cumulative results on the accomplishment of the CPO goals,\n       and APPs.\n   \xe2\x80\xa2   DSC\xe2\x80\x99s balanced scorecard is available to all DSC staff and provides detailed information\n       about strategic objectives and performance targets to provide a comprehensive view of\n       business operations at the national, regional, and territory level.\n   \xe2\x80\xa2   DOF\xe2\x80\x99s balanced scorecard is available to FDIC employees and presents performance\n       measurement information about DOF operations, strategies, and initiatives.\n   \xe2\x80\xa2   DOA and DOF encouraged their staff to participate in the 2008 corporate-wide planning\n       and budget process by submitting potential new projects, performance objectives, and\n       initiatives for 2008.\n\nAnnual Assurance Statement Process: As discussed earlier, OERM issues annual assurance\nstatement guidance to divisions and offices that includes instructions for providing assurance on\ninternal control objectives (for purposes of external reporting) and disclosing non-material\nchallenges (second-tier issues) requiring management\xe2\x80\x99s attention (for purposes of internal\nreporting). OERM indicated that division and office disclosure of second-tier issues is a positive\nstep, because it affords management the opportunity to devote resources to address those issues\nand to better plan risk management activities.\n\nOpportunities to Enhance the FDIC\xe2\x80\x99s Information and Communication Efforts\n\nOERM internal reporting on ERM activities could be enhanced. For example,\n\n   \xe2\x80\xa2   While OERM briefs executive management and produces a bi-weekly Audit Status\n       report, we identified no further examples of ERM reporting from OERM to the\n       Chairman\xe2\x80\x99s Office or the FDIC Board.\n   \xe2\x80\xa2   OERM discontinued the practice of providing monthly status reports to executive\n       management in 2005, based on a corporate-wide initiative to streamline reporting.\n   \xe2\x80\xa2   OERM has also discontinued its practice of periodically meeting with internal control\n       liaisons from FDIC divisions and offices to discuss internal control and ERM issues.\n       Several liaisons indicated that these meetings were helpful and allowed the liaisons to share\n       ideas with their counterparts in other divisions and offices. Several liaisons indicated that\n       they would like to resume meeting on a quarterly or some other periodic basis.\n\nOERM Assurance Statement: OERM officials stated that they are not required to prepare an\nassurance statement regarding OERM\xe2\x80\x99s controls and activities because OERM compiles the\ndivision and office annual assurance statements and preparing its own would constitute\nsubmitting an assurance statement to itself. OERM officials also stated that other offices such as\nCFO and COO do not prepare assurance statements. We note that divisions and offices address\ntheir assurance statements to the Chairman, not OERM. Thus, submitting an assurance statement\nwould not constitute OERM reporting to itself. We also note that OERM has other\nresponsibilities in addition to facilitating the assurance statement process, including:\n\n   \xe2\x80\xa2   the FDIC\xe2\x80\x99s ERM Program,\n   \xe2\x80\xa2   internal control reviews and program evaluations of the FDIC\xe2\x80\x99s business lines,\n\n\n                                                 22\n\x0c      \xe2\x80\xa2   monitoring audit follow-up and resolution activities,\n      \xe2\x80\xa2   Audit Committee activities,\n      \xe2\x80\xa2   maintaining the audit tracking system,\n      \xe2\x80\xa2   serving as risk managers for major IT projects, and\n      \xe2\x80\xa2   the Post-Project Review program.\n\nWithout submitting an assurance statement, OERM has not provided the Chairman with\ndocumentation supporting positive assurance that the ERM program and other OERM program\nresponsibilities are effective and efficient, have sufficient internal controls, follow relevant laws\nand regulations, or are supported by documented procedures.\n\nFinancial Management Systems Assurance: Opportunities also exist for the FDIC to improve\nexternal reporting of ERM activities. The FDIC Chairman\xe2\x80\x99s assurance statement in the\nCorporation\xe2\x80\x99s 2005 and 2006 Annual Reports indicates that the FDIC can provide reasonable\nassurance that the objectives of FMFIA Section 2 (internal controls) and Section 4 (financial\nmanagement systems) have been achieved. 10 However, OERM has not developed agency-wide\nprocedures regarding Section 4 assurances and reporting, and we were unable to confirm the\nbasis or support for the Section 4 assertion related to financial management systems.\n\nGovernment corporations, including the FDIC, are required by the CFO Act to prepare an annual\nmanagement report that is consistent with agency statements on internal accounting and\nadministrative control systems, as provided in FMFIA. The FMFIA also gives the Director,\nOMB, authority to issue implementing guidelines. OMB has done so in Circulars A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control and A-127, Financial Management Systems.\nThe FDIC has concluded that it is not required to comply with these circulars but relies on\nOMB\xe2\x80\x99s guidance to achieve compliance with the underlying statutory requirements.\n\nAccording to A-123, FMFIA Section 4 requires an annual statement on whether the entity\xe2\x80\x99s\nfinancial management systems conform to government-wide requirements. These government-\nwide requirements are set forth in part in OMB Circular A-127, section 7, which, among other\nthings, requires agencies to have financial management systems that meet various requirements,\nincluding the ability to:\n\n      \xe2\x80\xa2   Provide timely and useful financial information, including internal and external reporting\n          requirements, and ensuring the integrity of financial data through monitoring;\n      \xe2\x80\xa2   Produce financial information required to measure program, financial, and financial-\n          management for budget program-management and financial statement presentation; and\n      \xe2\x80\xa2   Prepare, execute, and report on the agency\xe2\x80\x99s budget in accordance with OMB\n          instructions.\n\nSection 7 of A-127 also states that financial management systems shall be maintained to ensure\nefficiency and effectiveness and be clearly and currently documented per applicable guidance.\nThese systems shall include a system of internal controls that ensure that resource use complies\n\n10\n     OMB Circular A-123 includes a provision for FMFIA Section 4 reporting for an annual statement on whether an\n     agency\xe2\x80\x99s financial management systems conform to government-wide requirements mandated by the FFMIA and\n     section 7 of OMB Circular A-127, Financial Management Systems.\n\n\n                                                       23\n\x0cwith applicable laws, regulations, and policies; that resources are safeguarded; and reliable data\nis produced and reported. Lastly, users of the systems are to be adequately trained and\nappropriately supported.\n\nMoreover, under section 9.a.3 of A-127, agencies shall ensure that \xe2\x80\x9cappropriate reviews\xe2\x80\x9d of their\nfinancial management systems are conducted. These reviews must comply with policies for\n(1) reviews of internal control in accordance with OMB guidance for purpose of FMFIA and\nCircular A-123; (2) reviews of conformance of financial management systems with Circular A-\n127, section 7, in accordance with OMB\xe2\x80\x99s FMFIA guidance; and (3) reviews of systems and\nsecurity reviews under OMB Circular A-130, Management of Federal Information Resources.\nLastly, section 9.a.4 requires agencies to issue, update, and maintain agency-wide financial\nmanagement directives to reflect policies defined in the Circular (A-127).\n\nIn implementing either Circulars A-123 or A-127, OMB has provided agency heads with much\ndiscretion, since the Circulars do not contain any detailed process by which agency heads are to\nmake their Section 4 assurances. Further, A-127 does not define or describe what is meant by\n\xe2\x80\x9cappropriate review.\xe2\x80\x9d In any case, agencies are required to have financial management\ndirectives that address A-127\xe2\x80\x99s provisions.\n\nWe have not identified any OERM or FDIC written procedures on how the Section 4 assurance\nstatement is to be supported and reported upon. Additionally, although we note that legal\nanalyses have been prepared for Circulars A-123 and A-127, these analyses have not specifically\naddressed the issue of support for the statements of assurance, including the effect of reviews\nconducted under A-127, section 9. OERM and the CFO told us that there is no one specific\ndocument or review that would constitute the support or basis for the FDIC\xe2\x80\x99s assurance\nstatement regarding FMFIA Section 4 reporting. Instead, OERM stated that the basis for the\nChairman\xe2\x80\x99s Section 4 assertion consists of many things taken together in regard to the FDIC\xe2\x80\x99s\ncore financial management system \xe2\x80\x93 New Financial Environment (NFE) and other systems that\ninterface with NFE, including:\n\n   \xe2\x80\xa2   GAO\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Financial Statements \xe2\x80\x93 the audit work and the results of the\n       audit;\n   \xe2\x80\xa2   FISMA reviews and reports, including security self-assessments and the OIG\xe2\x80\x99s annual\n       FISMA evaluation;\n   \xe2\x80\xa2   FDIC internal control reviews; and\n   \xe2\x80\xa2   The FDIC\xe2\x80\x99s system development life cycle processes.\n\nWe noted that GAO\xe2\x80\x99s financial statement audit report (Federal Deposit Insurance Corporation\nFunds\xe2\x80\x99 2006 and 2005 Financial Statements, dated February 2007, GAO-07-371) omitted\nmention of financial management systems under FMFIA, and we confirmed with GAO that the\nscope of its financial statement audit did not include FMFIA Section 4 (financial management\nsystems) reporting. While some elements of the FISMA review and internal control reviews\nperformed by FDIC divisions and offices may touch upon financial management system aspects,\nsuch as information security, we concluded that support for Section 4 reporting was\nundocumented, indirect, and fragmented and could be improved.\n\n\n\n\n                                                24\n\x0cGiven the statutory nature of the FDIC\xe2\x80\x99s Annual Report 11 , there should be adequate support\nbehind the Chairman\xe2\x80\x99s statements of assurance regarding FMFIA Sections 2 and 4. To help\nensure the adequacy of such support, the FDIC should develop and document procedures that\nconsider the provisions of OMB\xe2\x80\x99s Circulars A-123 and A-127 and other relevant authorities, in\ngeneral, and the following topics, in particular:\n\n      \xe2\x80\xa2   what financial management systems reviews should be performed,\n      \xe2\x80\xa2   the organization(s) responsible for the reviews,\n      \xe2\x80\xa2   what supporting documentation is needed for the assurance statement, and\n      \xe2\x80\xa2   to whom and in what manner or form the results of financial management system reviews\n          should be reported.\n\nA more clearly defined process for Section 4 reporting would also help ensure that the Director,\nOERM, has sufficient information for determining whether any weaknesses identified in the\nfinancial systems reviews need to be reflected in the Chairman\xe2\x80\x99s assurance statement and/or\nwarrant reporting for purposes of OMB Circulars A-123 and Circular A-127.\n\n\n\n\n11\n     Federal Deposit Insurance Act, section 17, and the CFOA.\n\n\n                                                        25\n\x0c COSO ERM     Monitoring:\n Framework    The entirety of enterprise risk management is monitored and modifications\n              made as necessary. Monitoring is accomplished through ongoing\n              management activities, separate evaluations, or a combination of the two.\n\nAccording to COSO, ongoing monitoring occurs in the normal course of management activities. The\nscope and frequency of separate evaluations depends primarily on an assessment of risks and the\neffectiveness of ongoing monitoring procedures. ERM deficiencies are reported upstream, with\nserious matters reported to top management and the board.\n\nMonitoring Activities at the FDIC\n\nExamples of monitoring of internal operations through ongoing management activities include:\n\n   \xe2\x80\xa2   periodic reports to the COO, CFO, FDIC Chairman, and FDIC Board, detailing the use of\n       delegated authority by FDIC staff;\n   \xe2\x80\xa2   budget variance analyses and mid-year budget review; and\n   \xe2\x80\xa2   assignment of oversight managers and technical monitors to procurement efforts.\n\nExamples of separate evaluations of internal operations at the FDIC include:\n\n   \xe2\x80\xa2   audits and studies of FDIC programs, operations, and financial statements from the GAO;\n   \xe2\x80\xa2   audits and evaluations of programs and operations conducted by the OIG; and\n   \xe2\x80\xa2   internal control reviews and program reviews conducted by division and office internal\n       review units.\n\nOERM Monitoring Activities: OERM indicated that it has conducted reviews and studies in areas\nsuch as:\n\n   \xe2\x80\xa2   performing quality assurance work to ensure the data integrity of the Office of Diversity and\n       Economic Opportunity case processing systems and completeness of case files,\n   \xe2\x80\xa2   assisting the Privacy Program Manager in developing aspects of a privacy program,\n   \xe2\x80\xa2   analyzing the number of management reports submitted to the FDIC Board and Chairman\xe2\x80\x99s\n       Office, and\n   \xe2\x80\xa2   reviewing DOF and DIR procedures for updates required by the implementation of Deposit\n       Insurance Reform.\n\nOERM also has one staff member who participates in DSC regional office reviews with DSC\xe2\x80\x99s\nInternal Control and Review Section and performs internal control reviews of DSC operations. For\nexample, OERM provided internal control review reports related to determining: whether a regional\noffice\xe2\x80\x99s published policies were current and complete; how another regional office utilized DSC\nScorecard information, and how the regional office managed the accuracy of Corporate Human\nResources Information System staffing tables and salary cost allocations to corporate programs.\n\n\n\n\n                                                 26\n\x0cOpportunities to Enhance ERM monitoring\n\nUnder the FDIC Bylaws, OERM also has responsibility for conducting program evaluations of the\nCorporation\xe2\x80\x99s business lines (DSC, DIR, DRR) as contemplated under GPRA. In this regard, we\nrecommended in a recent report12 that OERM take steps to add greater independence and structure to\nits program evaluation efforts, such as developing an annual evaluation schedule, defining the scope\nand methodology of procedures performed, and reporting recommendations for program\nimprovements.\n\nOERM also has desk officers who are assigned to each division and office throughout the FDIC. The\ndesk officers indicated that they are involved in monitoring certain second-tier issues through\nfrequent communication with their respective divisions and offices. OERM does not formally\ndocument its reviews but predominantly uses informal communication channels. The COSO ERM\nframework allows that many aspects of enterprise risk management are informal and undocumented,\nyet are regularly performed and highly effective. However, in this regard, COSO also states that an\nappropriate level of documentation usually makes evaluations more effective and efficient.\n\nFinally, although the CFO indicated that he is responsible for overseeing OERM, we did not see\na formal program or process for monitoring OERM\xe2\x80\x99s implementation of ERM. Such oversight\nshould ensure that OERM implements ERM infrastructure and the basic components of COSO\xe2\x80\x99s\nERM Framework and that the ERM program delivers risk management information that is useful\nand actionable.\n\nRecommendations\n\nThe FDIC\xe2\x80\x99s overall ERM program varies in some respects from what is recommended by\nCOSO. Although organizations have latitude and flexibility in implementing ERM to meet\nspecific needs, the FDIC may wish to take action to more closely align corporate practices with\nthe COSO framework and thereby maximize the effectiveness and efficiency of the various risk\nmanagement activities currently in place throughout the Corporation.\n\n1. We recommend that the Chairman further study variances between the FDIC\xe2\x80\x99s overall\n   internal ERM efforts and the COSO ERM Framework as discussed in this report and take\n   steps to address the variances where it will add value to the FDIC\xe2\x80\x99s ERM program. Areas for\n   potential focus include:\n\n      \xe2\x80\xa2   Defining and communicating the Corporation\xe2\x80\x99s risk appetite and ensuring that corporate\n          objectives are aligned with that appetite.\n      \xe2\x80\xa2   Establishing and documenting corporate-wide processes for identifying, assessing, and\n          responding to internal risks.\n      \xe2\x80\xa2   Establishing effective channels for OERM to communicate risk management information\n          throughout the organization, such as through periodic status reports and meetings with\n          divisional risk management/internal review units.\n\n\n\n12\n     Evaluation of the FDIC\xe2\x80\x99s Use of Performance Measures (Report No. EVAL-07-002), dated May 2007.\n\n\n                                                     27\n\x0c   \xe2\x80\xa2   Identifying the process for monitoring the implementation of ERM through ongoing\n       activities or separate evaluations of division and office risk management programs and\n       OERM\xe2\x80\x99s enterprise risk management program.\n\n2. We recommend that the Director, OERM, take necessary steps to develop and issue an\n   annual assurance statement to the Chairman related to the ERM program and other OERM\n   responsibilities.\n\n3. We recommend that the Director, OERM, coordinate with the Legal Division to review\n   section 4 reporting requirements to determine the FDIC\xe2\x80\x99s reporting responsibilities.\n\n4. Based on the results of recommendation 3, we recommend that the Director, OERM, issue\n   guidance for FMFIA section 4 reporting and the work required to support an assertion on\n   financial management systems.\n\n\n\n\n                                              28\n\x0cStructure of the FDIC\xe2\x80\x99s Internal ERM Program\n\n   Implementing ERM: An entity\xe2\x80\x99s size, complexity, industry, culture,\n   management style, and other attributes will affect how the framework\xe2\x80\x99s\n   concepts and principles are most effectively and efficiently implemented.\n\n\nThe COSO ERM Framework notes that organizations implement ERM differently, but indicates\nthere are common broad-based steps taken by entities that have successfully implemented ERM,\nsuch as conducting a current state risk assessment, developing an entity-wide ERM vision, and\nensuring capability development, which includes defining roles and responsibilities; policies,\nprocesses, tools, techniques, information flows and technologies; and competencies. These\ncapabilities are also collectively known as the ERM Infrastructure. Table 1 presents some\ncommon elements of ERM infrastructure.\n\nTable 1: Common Elements of ERM Infrastructure\nERM Infrastructure Elements\n\xe2\x80\xa2 CEO commitment (tone and message from the top),            \xe2\x80\xa2 Techniques for identifying risk,\n\xe2\x80\xa2 Risk policies and/or mission statements, including         \xe2\x80\xa2 Tools for assessing risks,\n  adapting any company risk or audit committee charter       \xe2\x80\xa2 Tools for reporting and monitoring risks,\n  to incorporate ERM,\n                                                             \xe2\x80\xa2 Incorporating risk into appropriate employees\xe2\x80\x99 job\n\xe2\x80\xa2 Reporting to business units, executives, and the board,      descriptions and responsibilities,\n\xe2\x80\xa2 Adoption or development of a risk framework,               \xe2\x80\xa2 Incorporating risk into the budgeting function, and\n\xe2\x80\xa2 Adoption or development of a common risk language,         \xe2\x80\xa2 Integrating risk identification and assessment into\n                                                               the strategy of the organization.\n Source: Institute of Management Accountants, Statement on Management Accounting, Enterprise Risk\n Management: Tools and Techniques for Effective Implementation, 2007.\n\nThe FDIC\xe2\x80\x99s Bylaws state that the Director, OERM, is responsible for administering the\nenterprise-wide risk management program that monitors and manages risks by maintaining\npartnerships with the divisions and offices, providing training, and addressing internal control\ndeficiencies. Among other things, the Bylaws provide that the Director, OERM, shall:\n\n    \xe2\x80\xa2   develop policies and procedures for the development, maintenance, and evaluation of a\n        comprehensive ERM program;\n    \xe2\x80\xa2   design and implement corporate-wide ERM training programs;\n    \xe2\x80\xa2   conduct outreach activities to explore best practices found in public and private sectors;\n    \xe2\x80\xa2   conduct corporate internal control reviews; and\n    \xe2\x80\xa2   serve as the risk manager for certain large IT projects that fall under the CIRC.\n\nIn addition, the Position Description for the Director, OERM, includes the following duties:\n\n    \xe2\x80\xa2   designing OERM\xe2\x80\x99s governance model for internal risk;\n    \xe2\x80\xa2   establishing policies and procedures to manage enterprise-wide internal risk;\n\n\n\n\n                                                        29\n\x0c   \xe2\x80\xa2   developing an integrated risk management program for the FDIC that entails identifying,\n       prioritizing, measuring, monitoring, and managing/controlling the most material internal\n       control and operating/other risks facing the Corporation;\n   \xe2\x80\xa2   developing risk quantification techniques that facilitate appropriate risk/reward choices\n       across the organization;\n   \xe2\x80\xa2   implementing a consistent risk management framework across FDIC business areas and\n       developing, implementing, and measuring the effectiveness of appropriate risk mitigation\n       strategies; and\n   \xe2\x80\xa2   developing and providing appropriate briefing material to the Chairman and Board.\n\nIn general, more needs to be done if the Corporation wants to establish an ERM infrastructure as\nenvisioned in the Bylaws and the Position Description for the Director, OERM, particularly in\nthe areas of defining roles and responsibilities, developing procedures and guidance, and\ndeveloping corporate-wide ERM training programs.\n\nRoles and Responsibilities\n\nThe CFO told us that he is responsible for overseeing OERM; however, the FDIC has chosen not\nto formally establish roles and responsibilities for overseeing the internal ERM Program,\nspecifically the roles that the FDIC Chairman, the FDIC Board, and the Audit Committee should\nplay. Such oversight could help ensure that OERM implements ERM infrastructure and the\nbasic components of COSO\xe2\x80\x99s ERM Framework and that the ERM program delivers risk\nmanagement information that is useful and actionable.\n\nChairman and Board: The COSO ERM Framework notes that the Chief Executive Officer\n(CEO) is ultimately responsible and should assume ownership of ERM. This includes seeing\nthat all components of ERM are in place. The CEO generally fulfills this duty by:\n\n   \xe2\x80\xa2   providing leadership and direction to senior managers, including developing the entity\xe2\x80\x99s\n       risk management philosophy, risk appetite, and culture, and\n   \xe2\x80\xa2   meeting periodically with senior managers to gain knowledge of risks inherent in\n       operations, risk responses, control improvements required, and the status of ERM efforts\n       under way.\n\nThe COSO ERM Framework notes that the Board provides important ERM oversight by:\n\n   \xe2\x80\xa2   knowing the extent to which management has established effective ERM;\n   \xe2\x80\xa2   being aware of, and concurring with, the entity\xe2\x80\x99s risk appetite;\n   \xe2\x80\xa2   reviewing the entity\xe2\x80\x99s risk portfolio and considering it against the entity\xe2\x80\x99s risk appetite;\n       and\n   \xe2\x80\xa2   being apprised of the most significant risks and whether management responds\n       appropriately.\n\nNeither the Bylaws nor the FDIC\xe2\x80\x99s ERM policy specifies the role of the Chairman or the FDIC\nBoard in implementing or overseeing internal ERM. Further, the Director, OERM, stated that\nthe FDIC Board does not have a role in internal ERM because the Board\xe2\x80\x99s focus is on external\n\n\n                                                 30\n\x0crisks facing the Corporation. We believe that the Chairman and the FDIC Board should have\nclearly-defined roles in ERM as suggested by the COSO ERM Framework. We also note that\nthe COSO approach is consistent with what the FDIC expects of boards of directors for\nFDIC-supervised financial institutions. Specifically, an FDIC corporate governance presentation\nfor new bank directors states that board member responsibilities include identifying the risk\nprofile for the institution and establishing a risk appetite and risk framework within which to\nidentify, measure, monitor, and control the risks of the institution.\n\nAudit Committee: The COSO ERM Framework notes that it is not uncommon for oversight\nresponsibility for ERM to be assigned to the audit committee. COSO notes that with its focus on\ninternal control over financial reporting, and possibly a broader focus on internal control, the\naudit committee already is well positioned to expand its responsibility to overseeing ERM.\n\nOMB Circular A-123 also encourages agencies to consider establishing a Senior Management\nCouncil to assess and monitor deficiencies in internal control. Such councils generally\nrecommend to the agency head which reportable conditions are deemed to be material\nweaknesses to the agency as a whole and may be responsible for (1) overseeing the timely\nimplementation of corrective actions related to material weaknesses and (2) determining when\nreportable conditions or material weaknesses have been corrected.\n\nThe FDIC established an Audit Committee as a Standing Committee to the Board. The\ndelegation of authority establishing the FDIC Audit Committee includes, among other things, the\nfollowing responsibilities:\n\n   \xe2\x80\xa2   overseeing the Corporation\xe2\x80\x99s financial reporting and internal controls,\n   \xe2\x80\xa2   reviewing and approving management\xe2\x80\x99s annual plan for compliance with the CFOA, and\n   \xe2\x80\xa2   assessing the sufficiency of the Corporation\xe2\x80\x99s internal control structure.\n\nOERM\xe2\x80\x99s Circular 4010.3 does not address whether the Audit Committee plays a role in\noverseeing ERM or internal control program efforts. OERM\xe2\x80\x99s Web site does indicate that the\nAudit Committee reviews and discusses OERM activities and we have observed this on\noccasion. Accordingly, considering the Audit Committee for a broader oversight role would be\nconsistent with the COSO ERM Framework, OMB Circular A-123, and Audit Committee\npractices.\n\nOERM\xe2\x80\x99s Role and Responsibilities: As discussed throughout this report, we identified variances\nbetween the requirements for the OERM Director\xe2\x80\x99s position as outlined in the FDIC Bylaws and\nthe day-to-day operations of OERM. Many of OERM\xe2\x80\x99s efforts relate to serving in an audit\nliaison capacity and monitoring the status of on-going audits and corrective actions taken in\nresponse to audit recommendations. Secondarily, we observed that OERM provides assistance\nto other divisions and offices as needed to work on special projects, such as the Privacy Program\ndeveloped by DIT and the Deposit Insurance Reform initiative.\n\nThe OERM Director and OERM staff described much of their risk management efforts as\nconsisting of meetings and/or briefings with division and office staff on specific topics of\ninterest. Thus, much of our understanding of OERM\xe2\x80\x99s risk management efforts is based on\n\n\n\n                                               31\n\x0ctestimonial evidence as opposed to documentary evidence. Nevertheless, the CFO and COO\nindicate that they are pleased with OERM\xe2\x80\x99s contribution to risk management and key internal\ninitiatives. Given the differences between the Bylaws description of OERM responsibilities and\nOERM\xe2\x80\x99s actual efforts, we are suggesting that the FDIC reconcile the two to promote a common\nunderstanding of OERM\xe2\x80\x99s risk management role and responsibilities.\n\nPolicies and Procedures\n\nOERM has issued high-level policy related to ERM, but OERM could do more to provide\ndetailed procedures and guidance related to methodologies, models, and systems that divisions\nand offices should use in identifying, assessing, mitigating, and reporting risk information. For\nexample, Circular 4010.3 sets forth policy 13 related to implementing an ERM Program, stating\nthat every FDIC operating and policy area should possess the following fundamental\nrequirements:\n\n      \xe2\x80\xa2   current and documented procedures,\n      \xe2\x80\xa2   reasonable controls incorporated into those procedures,\n      \xe2\x80\xa2   employees trained in the proper execution of their duties, and\n      \xe2\x80\xa2   supervisors and managers who are both empowered and held accountable.\n\nFurther, the policy indicates that each manager should:\n\n      \xe2\x80\xa2   identify key activities within his or her area of responsibility,\n      \xe2\x80\xa2   seek to determine what impediments (risks) might threaten the ability to achieve success,\n      \xe2\x80\xa2   evaluate the impediments in terms of likelihood of occurrence and potential impact, and\n      \xe2\x80\xa2   take actions as deemed necessary to mitigate risk.\n\nFurther, OERM issues guidance to divisions and offices annually related to preparing assurance\nstatements on the adequacy of internal and management/financial system controls. OERM has\nalso issued guidelines to OERM staff serving as risk managers on CIRC projects.\n\nHowever, OERM has not issued implementing procedures or guidance to assist divisions and\noffices in implementing ERM. According to OERM, it is up to individual division and office\nmanagers to decide how best to implement ERM. As presented in Appendix II, we saw\ndifferences in divisions\xe2\x80\x99 and offices\xe2\x80\x99 ERM programs. Most were still using traditional\n\xe2\x80\x9caccountability unit\xe2\x80\x9d approaches which are based on functional areas, as opposed to the\nidentification, assessment, and mitigation of risks emanating from strategic objectives. 14\nFurther, one division and one office expressed a need for guidance from OERM. With clear,\nuniform guidance, OERM could increase consistency in FDIC divisions and offices\xe2\x80\x99 approach to\ninternal ERM.\n\n13\n     The circular also lists GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government and other OERM\n     program responsibilities such as coordinating the annual assurance statement and performing audit follow-up and\n     resolution activities.\n14\n     It should be noted that Circular 4010.3 does suggest that key activities, from a broad perspective, could be tied to\n     CPOs.\n\n\n                                                           32\n\x0cIn our view, Circular 4010.3 does not meet the level of detailed procedures contemplated in the\nBylaws, the Position Description for the OERM Director, or the COSO ERM Framework.\nMoreover, OMB Circular A-123 notes that agency management should have a clear, organized\nstrategy with well-defined documentation processes that contain an audit trail, verifiable results,\nand specify documentation retention periods so that someone not connected with the procedures\ncan understand the assessment process.\n\nOERM officials told us that they have made no decision in regard to issuing additional ERM\ndirectives or policy. OERM indicated that it had planned to issue procedures for special projects\nand studies, but OERM told us it had not made progress on this initiative due to other competing\npriorities. We did note that OERM updated its Web site in August 2007.\n\nTraining Programs\n\nOERM has not designed and implemented corporate-wide ERM training programs, as required\nby the FDIC Bylaws. Competency development is one of the elements of ERM infrastructure\nand is important in ensuring that entity employees speak and understand a common risk\nmanagement language and that people with the requisite knowledge, expertise, and experience\nare put in place to implement the ERM function.\n\nOERM assisted the FDIC\xe2\x80\x99s Legal Division in presenting ERM training to Legal Division\nmanagers but could do more to provide ERM training to other divisions and offices. The\nDirector, OERM, also indicated that he has spoken about ERM at several divisional conferences;\nhowever, OERM could not provide detailed information about the content of the OERM\nDirector\xe2\x80\x99s speaking engagements. 15\n\nThe Institute of Management Accountants has issued Statements on Management Accounting\nrelated to ERM frameworks and implementing ERM. 16 Table 2 presents examples of ERM-\nrelated training topics.\n\nTable 2: Examples of ERM-Related Training Topics\n\xe2\x80\xa2   Understanding the nature of risk                     \xe2\x80\xa2 Software training\n\xe2\x80\xa2   Understanding risk management legal and regulatory \xe2\x80\xa2 Financial risk training (options, hedging strategies,\n    requirements                                            insurance options, derivatives, etc.)\n\xe2\x80\xa2 Knowledge of ERM frameworks                            \xe2\x80\xa2 Refocused strategy training and how risk interacts\n\xe2\x80\xa2 Facilitation skills                                       with strategy\n\xe2\x80\xa2 Expertise in identifying risks                         \xe2\x80\xa2  Building and understanding control solutions\n\xe2\x80\xa2 Knowledge in building risk maps                        \xe2\x80\xa2 Developing and monitoring performance metrics\n\xe2\x80\xa2 Reporting structures and options (what to report to       related to risks\n    the CEO, board, and audit committee)                 \xe2\x80\xa2 Change management\n Source: Institute of Management Accountants, Statement on Management Accounting, Enterprise Risk\n Management: Tools and Techniques for Effective Implementation, 2007.\n\n\n15\n     OERM\xe2\x80\x99s Web site indicates that OERM has developed ERM and internal control training programs that are open\n     to all division and office staff.\n16\n     Enterprise Risk Management: Frameworks, Elements, and Integration, 2006, and Enterprise Risk Management:\n     Tools and Techniques for Effective Implementation, 2007.\n\n\n                                                       33\n\x0cWe are recommending that OERM take steps to add greater structure to the ERM program in the\nform of defined roles and responsibilities, detailed procedures, and corporate-wide training\nprograms.\n\nMaturity Level of the FDIC\xe2\x80\x99s Internal ERM Program\n\nA number of organizations recognize the importance of using ERM maturity models to assess an\norganization\xe2\x80\x99s progress and status in implementing ERM. The Institute of Internal Auditors\nissued an article 17 stressing that maturity models should be easily understandable by management\nand should address the key components of best-practice ERM frameworks. The article identifies\nareas usually covered in maturity models, including the following:\n\n      \xe2\x80\xa2   Extent of leadership awareness within the organization.\n      \xe2\x80\xa2   Alignment of business objectives with risks and action plans.\n      \xe2\x80\xa2   Extent to which risk management roles and responsibilities of all employees are\n          articulated.\n      \xe2\x80\xa2   Extent of communication and training on ERM.\n      \xe2\x80\xa2   Rigor of monitoring and management oversight of employees and committees.\n\nWe evaluated the status of the FDIC\xe2\x80\x99s internal ERM program as administered by OERM against\nan ERM capability maturity model developed by Protiviti\xc2\xae, Inc. The model provides a\nframework for evaluating the maturity of an organization\xe2\x80\x99s risk management capabilities and\nranking those activities on a continuum of five stages of maturity from an Initial State to an\nOptimizing State. Figure 3 presents the stages, attributes, and methods of achievement for the\nmaturity model.\n\n\n\n\n17\n     Moving Forward with ERM, published in the Institute of Internal Auditors\xe2\x80\x99 June 2007 issue of Internal Auditor.\n\n\n                                                         34\n\x0cFigure 3: Protiviti\xc2\xae, Inc. ERM Maturity Model\n\n\n\n\n Source: Protiviti\xc2\xae, Inc.\n\nThe capability maturity model can be used to target needed risk management capability\nimprovements in six elements of ERM infrastructure suggested by Protiviti\xc2\xae, Inc.:\n(1) Business Policies, (2) Processes, (3) Competencies (people and organization), (4)\nManagement Reports, (5) Methodologies, and (6) Systems and Data. To illustrate, at the Initial\nState:\n\n   \xe2\x80\xa2   Business policies are undocumented or vague.\n   \xe2\x80\xa2   Business processes are informal and reactionary.\n   \xe2\x80\xa2   There is very little accountability either because a clearly designated risk owner has not\n       been identified or there are so many owners of risk that no one can be held accountable.\n   \xe2\x80\xa2   Management reports are sporadic, ad hoc, and informal.\n   \xe2\x80\xa2   Methodologies are over-simplified.\n   \xe2\x80\xa2   Systems and data quality are poor.\n\nAttributes of risk management capabilities at the Repeatable State include the following:\n\n   \xe2\x80\xa2   Business plans and risk policy are articulated, and policy is being followed.\n   \xe2\x80\xa2   Policies are documented and process gaps are being identified and corrected.\n   \xe2\x80\xa2   Risk owners are clearly defined and supported with staff, roles and commitments are\n       explicitly defined and understood, and people are trained in the process.\n   \xe2\x80\xa2   Regular actionable reports are issued consistently and timely.\n   \xe2\x80\xa2   Risk measures are improved but not yet integrated, and a mechanism is in place to\n       capture process and methodology improvements.\n\n\n                                               35\n\x0c   \xe2\x80\xa2   Systematic data collection exists for a few risks and is facilitating improved reporting and\n       increasing overall confidence in management reports.\n\nMaturity Assessment of the FDIC\xe2\x80\x99s Internal ERM Program\n\nWe concluded that the internal ERM program is in the Initial State, but possesses certain\nattributes of the Repeatable State, the second level of maturity. Generally, characteristics of the\nRepeatable State include a basic policy structure, basic risk management processes, and basic\ncontrol activities, which, as we previously reported, the internal ERM program possesses.\nHowever, the Repeatable State is also described as having explicitly defined and understood\nroles and commitments, people trained in the ERM process, independent spreadsheet models,\nand regular actionable reports\xe2\x80\x94areas in which the FDIC\xe2\x80\x99s ERM Program has not progressed as\nfar since the FDIC established the program in May 2004. Protiviti\xc2\xae, Inc., notes that while there\nare concrete things any organization can do that will make an impact on ERM within 12 months,\nit estimates that most organizations will require from 3 to 5 years to accomplish their objectives\nin fully implementing their ERM solution.\n\nRecommendations\n\nOERM is responsible for administering a comprehensive ERM program at the FDIC. However,\nwe noted that OERM\xe2\x80\x99s activities and focus vary from the FDIC Bylaws and policy governing the\nCorporation\xe2\x80\x99s ERM program. We are making the following recommendations to help OERM\nachieve attributes of a more mature ERM program.\n\n5. We recommend that the Chairman clarify the roles and responsibilities of the Chairman, the\n   Board, and the Audit Committee in relation to the FDIC\xe2\x80\x99s ERM program. We also suggest\n   that the Chairman reconcile OERM\xe2\x80\x99s current operations with the Bylaws and determine\n   whether the Bylaws should be revised or whether OERM should expand certain aspects of its\n   operations.\n\n6. We recommend that the Director, OERM, draft and issue detailed procedures for a\n   comprehensive ERM program as envisioned in the Corporate Bylaws.\n\n7. We recommend that the Director, OERM, take steps to develop and present corporate-wide\n   training to FDIC employees on the ERM program as envisioned in the Corporate Bylaws.\n\n\n\n\n                                                36\n\x0cOther Matter for Consideration: Integrating Enterprise Risk\nManagement at the FDIC\n\n     According to COSO, enterprise risk management requires an entity to take a\n     portfolio view of risk. This means considering activities at all levels of the\n     organization -- from enterprise-level activities such as strategic planning to\n     business unit activities and business processes.\n\nAs COSO notes, ERM requires management to consider interrelated risks from an entity-level\nportfolio perspective. Risks for individual units of the entity may be within the units\xe2\x80\x99 risk\ntolerances but, taken together, may exceed the risk appetite of the entity as a whole. With a\ncomposite view at each succeeding level of the organization, senior management is positioned to\ndetermine whether the entity\xe2\x80\x99s overall risk portfolio is commensurate with its risk appetite.\n\nEnterprise Risk Management at the FDIC\n\nAs discussed throughout this report, FDIC business line divisions (DIR, DSC, DRR) are\nprimarily responsible for managing external risks, while OERM focuses principally on internal\nrisks.\n\nExternal Risk Management: During a recent study of the FDIC, 18 GAO reported that the FDIC\nhas an extensive system for assessing and monitoring external risks. GAO noted that in addition\nto its supervisory oversight of individual institutions, the FDIC conducts a wide range of other\nactivities to monitor and assess risk at a broader level, from a regional perspective to a national\nview. Specifically, the FDIC\xe2\x80\x99s risk assessment and monitoring process includes input from the:\n\n      \xe2\x80\xa2   Regional Risk Committees, which evaluate regional economic and bank trends and risks;\n      \xe2\x80\xa2   National Risk Committee (NRC), which meets monthly to identify and evaluate the most\n          significant external business risks facing the FDIC and the banking industry;\n      \xe2\x80\xa2   Risk Analysis Center, which is an interdivisional forum for discussing significant,\n          cross-divisional, risk-related issues and which provides reports and analysis to the NRC;\n      \xe2\x80\xa2   Financial Risk Committee, which quarterly recommends an amount for the Deposit\n          Insurance Fund\xe2\x80\x99s contingent loss reserve\xe2\x80\x94the estimated probable loss attributable to\n          failure of institutions in the coming 12 months; and\n      \xe2\x80\xa2   DIR, which has a leading role in delivering a key set of semiannual reports 19 that the\n          Board uses as a basis for setting the Deposit Insurance Fund\xe2\x80\x99s premium (deposit\n          insurance assessments) schedule.\n\n\n\n18\n     Federal Deposit Insurance Corporation: Human Capital and Risk Assessment Programs Appear Sound, but\n     Evaluations of Their Effectiveness Should be Improved (GAO-07-255, February 2007).\n19\n     These key reports include the Risk Case, which summarizes national economic conditions and banking industry\n     trends and discusses emerging risks in banking, and the Rate Case, which recommends a premium schedule\n     based on analysis of likely losses to the fund from failures; growth of insured deposits; investment income; and\n     other factors.\n\n\n                                                          37\n\x0cGAO also noted that the FDIC has developed broad plans and specific strategies for handling an\nincrease in troubled or failed institutions. In this regard, the Resolution Policy Committee 20 is\nresponsible for developing plans to handle potential or actual failure of the largest institutions,\nand DRR has created a detailed blueprint for managing the failure of a large institution.\n\nGAO concluded that the FDIC could do more to monitor and evaluate its external risk\nmanagement activities. GAO also reported that an unclear line of responsibility could be\ncontributing to weaknesses in some of the FDIC\xe2\x80\x99s evaluations of its risk activities and suggested\nthat the FDIC would benefit by designating official(s) or an office, or establishing procedures, to\nensure that evaluation and monitoring of risk activities are conducted regularly and\ncomprehensively. GAO recommended developing policies and procedures that clearly define\nhow the FDIC will systematically evaluate and monitor its risk assessment activities and ensure\nthat required evaluations are conducted in a comprehensive and routine fashion. In response, the\nFDIC indicated that an interdivisional committee would perform an in-depth review of its current\nrisk assessment activities and evaluation procedures.\n\nInternal Risk Management: As discussed throughout this report, OERM is responsible for\ninternal enterprise risk management at the FDIC. In this regard, the CFO issued an e-mail to all\nFDIC employees in April 2004, on the subject of Office of Enterprise Risk Management, which\nstated:\n\n          Effective immediately, the name of the Office of Internal Control Management\n          (OICM) is changed to the Office of Enterprise Risk Management (OERM). A\n          review of risk management best practices in the public and private sectors found\n          that internal controls have evolved to a more proactive and enterprise-wide\n          approach. The proactive approach focuses on the identification, quantification,\n          and mitigation of risk, instead of the traditional control evaluation and audit\n          tracking model. We firmly believe this is the appropriate direction in which the\n          OERM should proceed.\n\n          Unlike many other organizations that manage all risk, both internal and external\n          to the entity, the OERM will focus principally on risks internal to the FDIC, such\n          as serving as the Risk Manager for several of the largest Information Technology\n          (IT) projects which fall under the Capital Investment Review Committee (CIRC).\n          External risk management will continue to be the primary responsibility of DIR,\n          DSC, DRR, and other divisions and offices throughout the Corporation.\n\nOERM carries out its internal ERM role by meeting with division and office representatives to\ndiscuss internal control issues, conducting internal control reviews\xe2\x80\x94mostly of internal corporate\nissues, serving as a risk management advisor on large IT projects, and coordinating the annual\nassurance statement process.\n\nFigure 4 on the next page illustrates our understanding of the entities that contribute to the\nFDIC\xe2\x80\x99s external and internal risk management activities.\n20\n     Resolution Policy Committee members are: the COO (serves as chair), CFO, General Counsel, and Directors of\n     DSC, DIR, and DRR.\n\n\n                                                       38\n\x0cFigure 4: Entities that Contribute to Internal and External Risk Management\n\n        Interagency Committees\n\n\n\n\n                                                                                                  External Operations and Risks\n        \xe2\x80\xa2 Federal Financial Institutions Examination Council (FFIEC)\n        \xe2\x80\xa2 Basel Committee on Banking Supervision\n\n\n\n\n    External Risk Committees                         Driver Divisions\n    \xe2\x80\xa2 National Risk Committee                        \xe2\x80\xa2 Division of Insurance and Research\n    \xe2\x80\xa2 Regional Risk Committees                       \xe2\x80\xa2 Division of Supervision and\n    \xe2\x80\xa2 Financial Risk Committee                         Consumer Protection\n    \xe2\x80\xa2 Resolution Policy Committee                    \xe2\x80\xa2 Division of Resolutions and\n    \xe2\x80\xa2 Risk Analysis Center                             Receiverships\n\n\n\n\n                            Board of                Standing Committees\n                                                    \xe2\x80\xa2 Supervisory Appeals\n                            Directors                 Review Committee\n                                                                                         OIG\n    Operating                                                                            and\n                                                    \xe2\x80\xa2 Case Review\n    Committee                                         Committee                          GAO\n                            Chairman                \xe2\x80\xa2 Assessment Appeals\n                           COO & CFO                  Committee\n                                                    \xe2\x80\xa2 Audit Committee\n\n\n    Internally-Focused Committees\n    Operational                                       Office of Enterprise\n    \xe2\x80\xa2 Corporate Investment Advisory Group             Risk Management\n    \xe2\x80\xa2 Customer Advisory Committee\n    \xe2\x80\xa2 Savings Plan Committee\n                                                      Divisional Internal Control/Risk            Internal Operations and Risk\n    Human Resource-Related                            Management Units\n    \xe2\x80\xa2 Human Resources Committee                       \xe2\x80\xa2 DSC Internal Control and Review\n    \xe2\x80\xa2 Executive Review Board                            Section\n    \xe2\x80\xa2 Chairman\xe2\x80\x99s Diversity Advisory Council           \xe2\x80\xa2 DRR Internal Review Section\n    \xe2\x80\xa2 Diversity Steering Committee\n                                                      \xe2\x80\xa2 DIR Planning and Resource\n    \xe2\x80\xa2 Alternative Dispute Resolution Steering\n                                                        Management Section\n      Committee\n                                                      \xe2\x80\xa2 Legal Division Internal Review Group\n    Information Technology-Related                    \xe2\x80\xa2 DIT Audit and Internal Control\n    \xe2\x80\xa2 Capital Investment Review Committee               Section\n    \xe2\x80\xa2 Chief Information Officer Council               \xe2\x80\xa2 DOF Administration and Internal\n    \xe2\x80\xa2 Project Management Office                         Controls Section\n    \xe2\x80\xa2 Corporate Data Sharing Steering Committee       \xe2\x80\xa2 DOA Management Support Section\n    \xe2\x80\xa2 Information Technology Committee                \xe2\x80\xa2 Other internal control resources within\n    \xe2\x80\xa2 Website Advisory Committee                        FDIC offices\n\nSource: OIG Analysis\n\n\n                                                     39\n\x0cOpportunities to Enhance ERM at the FDIC\n\nAs discussed above, the FDIC ERM Program is limited to internal FDIC operations, by design.\nThis approach is contrary to the fundamental COSO ERM Framework tenet that ERM should be\napplied across the enterprise, at every level and unit, and should include taking an entity-level\nportfolio view of risk. Without an enterprise-wide view of risk, the FDIC may not be in a\nposition to align and integrate varying views of risk management across the organization or\neffectively assess systemic risks.\n\nWe are suggesting that the FDIC consider whether the Corporation\xe2\x80\x99s internal and external risk\nmanagement activities should be integrated and, if so, ensure that such integration is done\nefficiently and effectively.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nAfter discussing the draft report findings, suggestions, and recommendations with the Chairman,\nmanagement provided us a written response, dated October 18, 2007. As noted in management\xe2\x80\x99s\nresponse, we provided an executive briefing to the Chairman and senior officers of the\nCorporation on September 26, 2007, regarding our draft report. The Inspector General further\ndiscussed our recommendations with the CFO and Chairman subsequent to the executive\nbriefing. Management\xe2\x80\x99s response is presented in its entirety in Appendix II. Appendix III\ncontains a summary of management\xe2\x80\x99s responses to our recommendations.\n\nIt is important to note that, as discussed in management\xe2\x80\x99s response, if there is an unresolved\ndispute between management and the OIG on any given audit report recommendation, the Audit\nCommittee provides input to the Chairman, who makes all final determinations regarding such\ndisputes in her role as the FDIC\xe2\x80\x99s Audit Follow-Up Official (AFO). Accordingly, in this\ninstance, because the Chairman has been involved in the response process, management\xe2\x80\x99s written\ncomments constitute the FDIC\xe2\x80\x99s final determinations regarding the suggestions and\nrecommendations in our draft report.\n\nIn its written response, management indicated that over the past 4 years, the Corporation has\ndiligently sought to streamline and improve the integration and effectiveness of its internal risk\nmanagement processes, employing a number of \xe2\x80\x9cbest practices\xe2\x80\x9d and generally following the\nGAO blueprint outlined in GAO\xe2\x80\x99s 2005 testimony before the Subcommittee on Government\nManagement, Finance, and Accountability/Committee on Government Reform, entitled,\nFinancial Management: Effective Internal Control is Key to Accountability.\n\nThe response further noted that management gave careful thought to the seven recommendations\nin our report, as well as the two suggestions we offered. After discussions with the Chairman,\nmanagement stated that it intends to adopt certain items in the draft report and has alternative\nactions underway that may address some of the concerns underlying these recommendations and\nsuggestions.\n\n\n\n\n                                                40\n\x0cThe Corporation\xe2\x80\x99s response to the recommendations and suggestions is summarized below,\ntogether with our evaluation of the response. The recommendations and suggestions are\npresented in the same order as they appear earlier in the report.\n\nFDIC Committees and Groups that Contribute to Internal Risk Management: We suggest\nthat the Chairman\xe2\x80\x99s Office, in coordination with the COO and the CFO, articulate and\ndocument how the various committees and groups interrelate in managing internal risk.\n\nManagement\xe2\x80\x99s response indicated that the COO and the CFO will look at developing a more\ncomprehensive blueprint to enhance the coordination and documentation of these committees\nand groups, where appropriate, during 2008.\n\nWe agree with management\xe2\x80\x99s planned action.\n\nRecommendation 1: We recommend that the Chairman further study variances between\nthe FDIC\xe2\x80\x99s overall internal ERM efforts and the COSO ERM Framework as discussed in\nthis report and take steps to address the variances where it will add value to the FDIC\xe2\x80\x99s\nERM program.\n\nManagement stated in its response that it agreed that there is value to more clearly defining and\ncommunicating the Corporation\xe2\x80\x99s risk appetite and ensuring that corporate objectives are aligned\nwith this appetite. The Chairman\xe2\x80\x99s office will be considering a variety of vehicles to do this for\n2008 and beyond, such as developing a corporate risk statement to accompany the planning and\nbudgeting process that produces Corporate Performance Objectives. Further, management stated\nthat it believes there is merit to exploring improved communication channels regarding internal risk\nmanagement and will look for opportunities to add value and enhance these channels, including the\npossible augmentation of certain existing reports and/or expanding Audit Committee and other\nmanagement briefings.\n\nWe agree with management\'s planned action.\n\nRecommendation 2: We recommend that the Director, OERM, take necessary steps to\ndevelop and issue an annual assurance statement to the Chairman related to the OERM\nprogram and other OERM responsibilities.\n\nManagement stated in its response that OERM is an extension of the CFO\xe2\x80\x99s office and, by\ndesign, needs to maintain a certain level of independence for the annual assurance statement\nprocess. Management described OERM\xe2\x80\x99s quality assurance role in that process and stated that it\nbelieves the substance of this process is more effective than just having OERM sign a statement\nto the Chairman.\n\nWe accept management\'s response and consider this recommendation closed. However, we\nmaintain that it would be prudent for OERM, consistent with all other divisions and offices, to\nprovide documented assurance to the Chairman that its own program is achieving, or assisting\nother divisions and offices in achieving, all relevant control objectives.\n\n\n\n                                               41\n\x0cRecommendation 3: We recommend that the Director, OERM, coordinate with the Legal\nDivision to review section 4 reporting requirements to determine the FDIC\xe2\x80\x99s reporting\nresponsibilities.\n\nRecommendation 4: Based upon the results of recommendation 3, we recommend that the\nDirector, OERM, issue guidance for FMFIA section 4 reporting and the work required to\nsupport an assertion on financial management systems.\n\nManagement stated in its response that the FDIC\xe2\x80\x99s responsibilities under Section 4 of FMFIA are\nclear: the FDIC must provide a statement of assurance as to whether or not its financial\nmanagement systems, including its internal controls, are effective. Management further stated\nthat it believes that OMB Circulars A-11, A-123, A-127, A-130, FFMIA, and FISMA provide\nadditional variables to consider in determining what the Corporation must do to fulfill its\nresponsibilities in these matters. According to management, while only a portion of this body of\nguidance directly applies to the FDIC from a legal perspective, management has coordinated\nwith the Legal Division over the years and developed an integrated approach for providing\nassurance that it believes more than satisfies the letter (as applicable) and the spirit of the\nrequirements. Finally, the FDIC believes that its process for assurance reporting emphasizes\nsubstance over form and has been successfully integrated into the day-to-day management of\nDOF, DIT, and others in the FDIC who have a role in NFE.\n\nWe noted that management\'s response detailed the FDIC\'s efforts to meet the requirements of\nSection 4 and OMB Circular A-127, Financial Management Systems, in a comprehensive\nmanner that did not exist when we conducted our evaluation. This newly documented\nframework is a positive step toward meeting the intent of report recommendations 3 and 4.\nHowever, we believe it would be prudent for the FDIC to establish this framework formally\noutside of management\'s response to this evaluation. As noted in the report and in management\xe2\x80\x99s\nresponse, we and the Corporation have received different information regarding GAO\xe2\x80\x99s position\non the scope of its financial statement audit as it relates to coverage of Section 4, financial\nmanagement systems. We encourage the CFO and OERM\xe2\x80\x94possibly in conjunction with the\nAudit Committee\xe2\x80\x94to formally discuss this matter with GAO so that all parties are in agreement\non the scope of the 2008 financial statement audit regarding Section 4 coverage. We would also\nsuggest that the FDIC include discussion of Section 4, financial management systems, in FDIC\nmanagement\'s assertions to GAO. These assertions help to form the basis and scope of the\nfinancial statement audit.\n\nAs discussed above, we believe that the FDIC should take further action to address\nRecommendations 3 and 4. As a result, we disagree with management\xe2\x80\x99s decision on these\nrecommendations. However, because the Chairman as the FDIC\xe2\x80\x99s AFO has already been\nconsulted on and concurred with management\xe2\x80\x99s response, we will not be pursuing the\nrecommendations any further and consider them closed.\n\nRecommendation 5: We recommend that the Chairman clarify the roles and\nresponsibilities of the Chairman, the Board, and the Audit Committee in relation to the\nFDIC\xe2\x80\x99s ERM program. We also suggest that the Chairman reconcile OERM\xe2\x80\x99s current\n\n\n\n\n                                              42\n\x0coperations with the Bylaws and determine whether the Bylaws should be revised or\nwhether OERM should expand certain aspects of its operation.\n\nManagement stated in its response that it would clarify the roles of the Chairman, the Board, and\nthe Audit Committee in relation to the FDIC\xe2\x80\x99s ERM program. We agree with management\xe2\x80\x99s\nplanned action on this aspect of the recommendation. The Corporation\xe2\x80\x99s response to reconciling\nOERM\xe2\x80\x99s current operations with the Bylaws is discussed further in Recommendations 6 and 7.\n\nRecommendation 6: We recommend that the Director, OERM, draft and issue detailed\nprocedures for a comprehensive ERM program as envisioned in the Corporate Bylaws.\n\nRecommendation 7: We recommend that the Director, OERM, take steps to develop and\npresent corporate-wide training to FDIC employees on the ERM program as envisioned in\nthe Corporate Bylaws.\n\nManagement stated in its response that it recognizes the need for a comprehensive ERM\nprogram; the OIG\xe2\x80\x99s concern about consistent, detailed internal control procedures at the\nDivision/Office level; and the benefits of appropriate training to meet the needs of the FDIC.\nHowever, management does not believe that there are any discrepancies between OERM\xe2\x80\x99s\ncurrent operation and the respective Bylaws, and management continues to fully support\nOERM\xe2\x80\x99s efforts in developing and implementing a comprehensive ERM program and\nappropriate training program. Management\xe2\x80\x99s response described various OERM activities that it\nbelieves provide for a consistent internal control framework across the Corporation.\n\nWe contend that an effective and efficient ERM program begins with a sound and mature ERM\ninfrastructure. As discussed in our report, OERM has not:\n\n\xe2\x80\xa2   Established procedures for the development, maintenance, and evaluation of a\n    comprehensive ERM program: In this regard, our report notes several sources of criteria\n    beyond the Bylaws that call for a well-defined and documented risk management program.\n    For example, OMB Circular A-123, Management\'s Responsibility for Internal Control, notes\n    that agency "...management should have a clear, organized strategy with well-defined\n    documentation processes that contain an audit trail, verifiable results, and specify\n    documentation retention periods so that someone not connected with the procedures can\n    understand the assessment process." As discussed in our report, we saw limited\n    implementing procedures for the internal risk management program and few recommended\n    tools or techniques for identifying, assessing, and reporting risks. Further, as one\n    consequence of the lack of established procedures, we found inconsistent practices between\n    the various divisional internal review units.\n\n\xe2\x80\xa2   Designed and implemented corporate-wide ERM training programs: Our report notes that\n    competency development is a key element of ERM infrastructure and that it is important to\n    ensure that employees speak and understand a common risk management language and have\n    the knowledge and skills to implement the ERM program. The Corporation\xe2\x80\x99s response\n    indicates that training and development programs are available and notes that OERM\n    encourages divisions and offices to contact OERM if there is a need for training. We agree\n\n\n\n                                               43\n\x0c    that the OERM Web site states that training related to ERM, internal control, and assurance\n    statements is available at divisions\', offices\' or individuals\' request. However, OERM\n    provided few examples of divisions or offices that had actually received training.\n\nOur evaluation concluded that OERM\'s internal risk management program was at a relatively\nlow level of maturity, in part because of a lack of procedures and formal training programs.\nDuring a discussion of the results of our review, the CFO and COO stated that they generally\nagreed with our maturity assessment. Thus, we disagree with the Corporation\xe2\x80\x99s response to\nRecommendations 6 and 7, which were intended to assist the FDIC in increasing the maturity\nlevel of its internal risk management program. As with Recommendations 3 and 4, because the\nChairman as the FDIC\xe2\x80\x99s AFO has concurred with management\xe2\x80\x99s response, we will not pursue\nthe recommendations further. We consider the recommendations closed but will look for\nopportunities to engage in a continuing dialogue with the Corporation regarding the maturity of\nits ERM infrastructure.\n\nOpportunities to Enhance ERM at the FDIC: We are suggesting that the FDIC consider\nwhether the Corporation\xe2\x80\x99s internal and external risk management activities should be\nintegrated and, if so, ensure that such integration is done efficiently and effectively. Doing\nso would be consistent with the fundamental COSO ERM Framework tenet that ERM\nshould be applied across the enterprise, at every level and unit, and should include taking\nan entity-level portfolio view of risk.\n\nIn its response, management stated that the COSO ERM Framework is not appropriate for\nuniversal application to the FDIC. Management further stated that rather than focusing on\nhousing all external and internal risk management activities in one office or under one person,\nthe FDIC utilizes a risk matrix approach, with virtually all risk management activities reporting\nto either the COO and/or CFO, on behalf of the Chairman. Further, according to the response,\nthese activities are optimized by extensive communication channels upward and throughout the\nFDIC, and are directly linked into the FDIC\xe2\x80\x99s corporate planning, budget, and performance\nmeasurement process.\n\nAs noted in the report, we did not do extensive work in this area. In addition, management\xe2\x80\x99s\nplanned action to develop a more comprehensive blueprint to enhance the coordination and\ndocumentation of committees and groups involved in risk management will help ensure\nintegration exists, where appropriate. Further, in response to GAO\xe2\x80\x99s Report No. GAO-07-255,\nreferred to earlier in our report, the FDIC formed a committee to review its risk management\nactivities and evaluation procedures, make recommendations for strengthening the Corporation\xe2\x80\x99s\nrisk management framework, and establish a plan for implementing the committee\xe2\x80\x99s\nrecommendations. Therefore, we accept management\xe2\x80\x99s position on this suggestion.\n\nTracking Management\xe2\x80\x99s Planned Actions. At a November 2007 meeting between the FDIC\nChairman and the Inspector General, the Chairman committed to tracking those corrective\nactions agreed to by management. Accordingly, management\xe2\x80\x99s planned actions in response to\n(1) our suggestion regarding documenting how the various committees and groups interrelate in\nmanaging internal risk and (2) Recommendations 1 and 5 should be included in the\nCorporation\xe2\x80\x99s Internal Risks Information System, along with expected completion dates.\n\n\n\n                                                44\n\x0c                                                                                      APPENDIX I\n\n\n                           Objective, Scope, and Methodology\nThe objective of our review was to assess (1) the extent to which the FDIC has implemented an\nenterprise risk management program consistent with applicable government-wide guidance and\n(2) OERM\xe2\x80\x99s implementation of FDIC Circular 4010.3, FDIC Enterprise Risk Management\nProgram, dated September 25, 2006. To accomplish our objective, we assessed:\n\n\xe2\x80\xa2   the extent to which the FDIC\xe2\x80\x99s enterprise risk management program addresses Office of\n    Management and Budget Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control,\n    dated December 21, 2004, and the Treadway Commission\xe2\x80\x99s Committee of Sponsoring\n    Organizations report entitled Enterprise Risk Management \xe2\x80\x93 Integrated Framework\n    (September 2004), and\n\xe2\x80\xa2   OERM\xe2\x80\x99s administration of, and FDIC division and office participation in, the FDIC\xe2\x80\x99s\n    enterprise risk management program.\n\nScope and Methodology\n\nWe performed field work in the FDIC divisions and offices located in Washington, D.C., and\nArlington, Virginia. We performed our evaluation from December 2006 through June 2007, in\naccordance with the Quality Standards for Inspections. To accomplish our objective, we\nperformed the following:\n\nWe identified and reviewed pertinent sections of applicable laws, regulations, and other criteria\non Enterprise Risk Management:\n\n    \xe2\x80\xa2   Budget and Accounting Procedures Act of 1950, which includes the Accounting and\n        Auditing Act of 1950.\n    \xe2\x80\xa2   Federal Deposit Insurance Act.\n    \xe2\x80\xa2   Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA).\n    \xe2\x80\xa2   Chief Financial Officers Act of 1990 (CFO Act).\n    \xe2\x80\xa2   Government Performance and Results Act of 1993 (GPRA).\n    \xe2\x80\xa2   Federal Financial Management Improvement Act of 1996 (FFMIA).\n    \xe2\x80\xa2   Reports Consolidation Act of 2000.\n    \xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-123, Management\xe2\x80\x99s Responsibility\n        for Internal Control, dated December 21, 2004, effective for Fiscal Year 2006.\n    \xe2\x80\xa2   OMB Circular A-127, Financial Management Systems.\n    \xe2\x80\xa2   GAO Standards for Internal Control in the Federal Government, November 1999\n        (GAO/AIMD-00-21.3.1).\n    \xe2\x80\xa2   FDIC Directive 4010.3, FDIC\xe2\x80\x99s Enterprise Risk Management Program, dated\n        September 25, 2006.\n    \xe2\x80\xa2   COSO Enterprise Risk Management -- Integrated Framework, September 2004.\n    \xe2\x80\xa2   FDIC Bylaws dated February 22, 2005.\n\n\n\n\n                                                45\n\x0c                                                                                      APPENDIX I\n\nWe researched and reviewed:\n\n   \xe2\x80\xa2   GAO Report No. GAO-05-321T, Financial Management: Effective Internal Control Is\n       Key to Accountability, February 16, 2005.\n   \xe2\x80\xa2   GAO Report No. GAO-05-881, Financial Management: Achieving FFMIA Compliance\n       Continues to Challenge Agencies, September 2005.\n   \xe2\x80\xa2   GAO Report No. GAO-07-255, Federal Deposit Insurance Corporation: Human Capital\n       and Risk Assessment Programs Appear Sound, but Evaluations of Their Effectiveness\n       Should Be Improved, February 2007.\n   \xe2\x80\xa2   November 23, 2005 Memorandum from the Director, OERM, to Division and Office\n       Directors Regarding Update on ERM in the FDIC.\n   \xe2\x80\xa2   OERM Guidance for Assurance Statements, 2005, 2006, and 2007.\n   \xe2\x80\xa2   Office of Internal Control Management FDIC Internal Control and Risk Management\n       Manual, April 1998.\n\nWe reviewed the FDIC\xe2\x80\x99s:\n\n   \xe2\x80\xa2   2005-2010 Strategic Plan.\n   \xe2\x80\xa2   2006 and 2007 Annual Performance Plans.\n   \xe2\x80\xa2   2003, 2004, 2005, 2006 Annual Reports.\n   \xe2\x80\xa2   2006 Annual Assurance Statements from Divisions and Offices.\n\nWe obtained and reviewed the prior related OIG reports:\n\n   \xe2\x80\xa2   Evaluation of the FDIC\xe2\x80\x99s Use of Performance Measures, (Evaluation Report Number\n       EVAL-07-002), dated May 2007.\n   \xe2\x80\xa2   Strategies for Enhancing Corporate Governance, (Audit Report Number 04-032), dated\n       September 3, 2004.\n\nWe interviewed Internal Control Liaisons and internal review officials in all divisions and two\noffices to inquire about their respective risk management programs and activities, and we\nreviewed and analyzed material provided by the officials we interviewed.\n\nWe met with Office of Thrift Supervision and OCC officials to obtain best practice information\nregarding their respective risk management programs.\n\nWe researched and reviewed Guide to Enterprise Risk Management: Frequently Asked\nQuestions, prepared by Protiviti\xc2\xae, Inc., dated January 2006. We also reviewed a Protiviti\xc2\xae, Inc.\npublication entitled, Enterprise Risk Management: Practical Implementation Ideas.\n\nWe reviewed the Institute of Management Accountants\xe2\x80\x99 Statements on Management Accounting\nentitled, Enterprise Risk Management: Frameworks, Elements, and Integration, 2006 and\nEnterprise Risk Management: Tools and Techniques for Effective Implementation, 2007. We\nreviewed the Institute of Internal Auditors publication entitled, The Audit Committee: A Holistic\nView of Risk.\n\n\n\n                                               46\n\x0c                                                                                      APPENDIX I\n\nEvaluation of Internal Controls\n\nWe gained an understanding of relevant control activities within the FDIC\xe2\x80\x99s ERM Program by\nreviewing:\n\n   \xe2\x80\xa2   organization charts,\n   \xe2\x80\xa2   policies stipulated in FDIC Circular 4010.3,\n   \xe2\x80\xa2   procedures outlined in guidance issued annually to divisions and offices in regard to\n       annual assurance statements, and\n   \xe2\x80\xa2   the assurance statement process.\n\nLaws and Regulations and Fraud and Illegal Acts\n\nWe reviewed the various statutes and implementing regulatory guidance identified in this report\nfor purposes of determining the legal context in which OERM\xe2\x80\x99s activities operate. Where\nappropriate, given the objective of this evaluation, we have identified areas in which compliance\nwith pertinent legal provisions could be enhanced. The nature of our evaluation objective did not\nrequire that we assess the potential for fraud and illegal acts. However, throughout the\nevaluation, we were alert to the potential for fraud and illegal acts, and no instances came to our\nattention.\n\n\n\n\n                                                47\n\x0c                                                                                                     APPENDIX II\n\n\n         Division and Office Risk Management/Internal Review Programs\nThe extent to which FDIC divisions and offices are participating in the FDIC\xe2\x80\x99s ERMP varies\nfrom (1) some organizations revamping their respective programs from the traditional internal\ncontrol review approach toward an ERM approach to (2) other divisions and offices either\nmaking minor changes or no revisions to their traditional programs because the respective\norganizations viewed their internal control programs as being enterprise-wide risk focused.\n\nThe resources involved in the internal risk management program are shown in Table 3. It should\nbe noted that some staff participate in risk management activities on a collateral basis performing\nduties such as budgeting, special projects, IT, and details to assist senior management. Further,\nsenior management executives are not counted in these numbers.\n\n  Table 3: Division and Office Internal Review Staffing\n  Divisions/\n                Staffing      Description\n  Offices\n    Legal            7        Four Attorneys, 2 Management Analysts, and 1 Paralegal Specialist.\n       DIT           3        One Corporate Manager (CM), 1 CG-14, and 1 CG-13\n       DSC          12        12 permanent staff, supplemented by regional and field office detailees.\n     DRR             9        Two managers and 7 internal review specialists\n    ODEO             3        One CG-14 and 2 CG-13\n    DOA              6        One CM, 3 CG-14, 2 CG-13\n       DIR           3        One CM and 2 CG-14 (All Collateral Duty )\n       DOF          11        One CM, 3 CG-14, 6 CG-13, and 1 CG-12\n       OIG           1        CG-14 \xe2\x80\x93 Collateral duty\n       CU            2        One Manager \xe2\x80\x93 Collateral duty, One collateral duty detailee\n  Source: Interviews with division and office staff.\n\nWe interviewed Internal Control Liaisons (ICL) for the 10 divisions and offices shown above to\ninquire about their respective risk management programs and activities. We specifically asked\nthe ICLs to: (1) provide an overview of the risk management program established in their\nrespective divisions and offices to support division and office management in reaching program\ngoals and objectives and using resources efficiently and effectively \xe2\x80\x93 a division and office\nresponsibility outlined in Circular 4010.3, and (2) discuss their internal control/internal review\nprograms and processes. The following sections reflect the ICLs\xe2\x80\x99 responses to our inquiries.\n\nDSC Internal Control and Review Section (ICRS): is responsible for developing,\nimplementing, overseeing, and coordinating DSC\xe2\x80\x99s internal risk management activities. DSC\nhas a comprehensive regional and field office review program that is risk-focused and has\nstandardized review work programs.\n\n   \xe2\x80\xa2    The DSC field territory review process primarily focuses on the overall quality of\n        supervisory work products produced by each field territory. A statistical and judgmental\n\n\n\n\n                                                        48\n\x0c                                                                                      APPENDIX II\n\n        sample of supervisory work products is reviewed for each field territory.\n\n   \xe2\x80\xa2    The scope of the regional office reviews is determined based upon four areas: risk profile,\n        findings of the field territory reviews conducted in each region, findings in previous\n        regional office reviews, and requests/recommendations from the Division Director.\n\nDuring 2006, ICRS started 38 Field Territory Reviews (23 Risk Management Territories and 15\nCompliance Territories). The review program includes DSC internal review staff as well as\ndetailees from regions and field offices. Subject Matter Experts, such as IT specialists, from\nHeadquarters also accompany the team. During 2006, DSC detailed 32 staff to work on these\nreviews.\n\nDRR Internal Review Section: conducts an annual Risk Assessment during the fourth quarter\nof each year to determine areas on which to focus internal control reviews. Using the DRR\nStrategic Plan as a foundation, DRR grouped the 2007 risk areas into five (5) broad categories:\n\n   \xe2\x80\xa2    Ineffective Use of Human Resources\n   \xe2\x80\xa2    Loss of Personal and/or Sensitive Information\n   \xe2\x80\xa2    Lack of Readiness\n   \xe2\x80\xa2    Incomplete IT Projects\n   \xe2\x80\xa2    Failure to Maintain Daily Operations\n\nBased upon the risks listed above and feedback received from DRR management regarding the\nrisks they see for their respective functional areas, DRR identified about 16 potential areas for\nreview over the next 18 months.\n\nDRR indicated that the Division addresses risk management from an enterprise level, (i.e.,\nlooking at management of risk associated with an activity or function across all of DRR\nfunctions), and that doing so allows the flexibility to review business processes and work flows\nacross all affected areas to mitigate risk from a cross-functional perspective.\n\nDIR Planning and Resource Management Section: modeled its internal review program after\nDSC\xe2\x80\x99s structured internal review program. DIR uses AUs in its program and has five AUs:\n\n   1.   Call Report.\n   2.   Risk Information System.\n   3.   Risk Analysis (Operations) \xe2\x80\x93 Risk analysis program offices are reviewed every 2 years.\n   4.   Central Data Repository.\n   5.   Assessments.\n\nDIR\xe2\x80\x99s regional/area offices are subject to an internal review once every 2 years conducted in\naccordance with a review program that contains objectives, structure, and review procedures.\nDIR\xe2\x80\x99s review program states that the results of the office reviews are used to: (1) provide\nfeedback to Regional Managers, (2) inform other regions of best practices, (3) serve as tangible\nfeedback regarding the effectiveness of DIR\xe2\x80\x99s policies, practices, and procedures, and (4) test the\nvarious control objectives established in DIR\xe2\x80\x99s annual strategic plan and AU management\ncontrol plans.\n\n\n                                                49\n\x0c                                                                                                   APPENDIX II\n\n\n\nLegal Division Internal Review Group (IRG): In 2006, IRG developed an enterprise risk\nmanagement program that identifies, monitors, and manages risks found in the Legal Division.\nThe program seeks to concentrate on major or significant risks facing the division that could\ngrow into serious problems for the Corporation. IRG, with assistance from OERM, looked at the\nLegal Division\xe2\x80\x99s eight AUs 21 and IRG reduced the number of AUs to three \xe2\x80\x94Legal Division\nManagement, Litigation, and Information Systems. For example, IRG determined that while\noutside counsel management and ethics were still risk factors, these AUs no longer rose to the\nlevel of individual reporting and were placed into the new Legal Division Management AU.\nIRG prepared Internal Control Review Forms for each AU, and identified 3 to 4 risks or potential\nvulnerabilities for each AU.\n\nAfter discussions with OERM, IRG recommended discontinuing the stove-piped site visitation\nprogram and replacing it with division-wide risk management reviews. Under the new program,\neach AU would be assigned to a team of two IRG staff, and each team would conduct an annual\nreview of its assigned AU throughout the Legal Division, as appropriate.\n\nDivision of Information Technology Internal Review: DIT has an initiative to change its\nentire internal review process to a new industry practice for information technology. DIT has\nadopted the COBIT\xc2\xa9 framework, which is a governance framework and supporting toolset that\nhelps management bridge the gaps between internal control requirements, risk management, and\ntechnical issues. COBIT\xc2\xa9 provides a framework to help ensure that IT functions are adequately\naligned with the business, resources are used responsibly, and risks are well managed. COBIT\xc2\xa9\nis an international IT controls and governance standard that organizes IT activities into\n34 processes. COBIT\xc2\xa9 helps managers ensure that their IT investments are aligned with business\ngoals and objectives and that IT-related risks and opportunities are appropriately managed.\n\nDivision of Administration Management Support Section (MSS): MSS has changed its\ninternal reviews from a compliance perspective to a more collaborative process in conjunction\nwith management of important and risky areas. Further, in late 2006, the MSS stated in\ncorrespondence to senior DOA managers that MSS will focus on high-impact areas during the\nupcoming year. MSS defines its workload based on meetings with DOA management,\nconsulting with OERM and reviewing recent audit conditions, analyzing emerging trends, and\nrelying on professional judgment.\n\nDivision of Finance Administration & Internal Control Section (AICS): AICS has three\nmajor functions, namely (1) internal control reviews, (2) business process reviews, and\n(3) support to the Director and Deputy Director for special projects. In 2006, DOF\xe2\x80\x99s inventory\nof AUs consisted of the following.\n    1. Budget.\n    2. Assessments.\n    3. Manage Cash and Investments.\n    4. Disbursements.\n\n21\n     The eight AUs were: (1) Outside Counsel Management, (2) Official Records of the Board of Directors,\n     (3) Freedom of Information Act/Privacy Act, (4) Rulemaking Process, (5) Employee Ethics, (6) Data Quality,\n     (7) Legal Division Litigation, and (8) Legal Division Management.\n\n\n                                                        50\n\x0c                                                                                       APPENDIX II\n\n    5.   Receipts.\n    6.   Accounting Operations/Corporate Operations.\n    7.   Financial Reporting.\n    8.   Accounting and Financial Information Systems.\n\nAs an example of a business process review, AICS provided a 2006 NFE Business Process\nReview Project Plan that included a risk management section that identified objectives and five\nsteps of the risk management process, namely (1) identify the risks, (2) assess the risks, (3) plan\nthe risk response, (4) monitor the risk, and (5) document the lessons learned.\n\nODEO: ODEO uses AUs but merged its three AUs into one AU that includes (1) Complaint\nProcessing, (2) Diversity and Affirmative Action, and (3) Minority and Women Outreach.\nODEO conducts an internal control review of complaint processing every year, and the other two\nprograms are reviewed every 2 years. Through a memorandum of understanding dated July 5,\n2002, OERM provides routine assistance to ODEO in the following activities:\n\n\xe2\x80\xa2   Planning the internal control program.\n\xe2\x80\xa2   Performing internal control reviews of the Complaint Processing Program.\n\xe2\x80\xa2   Implementing and monitoring corrective actions for the Complaint Processing Program.\n\nCorporate University (CU): CU does not have a formal internal review program. Controls\nover CU include a governing board that is comprised of division and office directors. In\naddition, the FDIC Human Resources Committee provides high-level oversight and control over\nCU. In 2006, CU had one AU, Contractor Oversight, ranked as a medium risk.\n\nOIG: OIG\xe2\x80\x99s ICL is responsible for the OIG internal control program. The OIG has AUs\ncorresponding to its major functions and operations -- audits, evaluations, investigations,\nCounsel\xe2\x80\x99s operations, and management and congressional relations. OIG operations undergo\ninternal quality control reviews and external peer reviews.\n\n\n\n\n                                                 51\n\x0c                       APPENDIX III\n\nCORPORATION COMMENTS\n\n\n\n\n         52\n\x0c     APPENDIX III\n\n\n\n\n53\n\x0c     APPENDIX III\n\n\n\n\n54\n\x0c     APPENDIX III\n\n\n\n\n55\n\x0c     APPENDIX III\n\n\n\n\n56\n\x0c     APPENDIX III\n\n\n\n\n57\n\x0c     APPENDIX III\n\n\n\n\n58\n\x0c     APPENDIX III\n\n\n\n\n59\n\x0c     APPENDIX III\n\n\n\n\n60\n\x0c     APPENDIX III\n\n\n\n\n61\n\x0c     APPENDIX III\n\n\n\n\n62\n\x0c     APPENDIX III\n\n\n\n\n63\n\x0c                                                                                                                                  APPENDIX IV\n\n\n                                         MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the\ndate of report issuance.\n\n Rec.                                                                                     Expected        Monetary   Resolved:a     Open or\nNumber                 Corrective Action: Taken or Planned/Status                      Completion Date    Benefits   Yes or No      Closedb\nSuggestion   Management will take appropriate action to add more clarity to the\n             interaction and interdependencies of the existing committees. The         To be determined      $0         Yes          Open\n             COO and the CFO will look at developing a more comprehensive\n             blueprint to enhance the coordination and documentation of FDIC\n             committees and groups, where appropriate, during 2008.\n\n    1        The Chairman\xe2\x80\x99s office will be considering a variety of vehicles to\n             more clearly define and communicate the Corporation\xe2\x80\x99s risk appetite       To be determined      $0         Yes          Open\n             and ensure that corporate objectives are aligned with this appetite for\n             2008 and beyond, such as developing a corporate risk statement to\n             accompany the planning and budgeting process that produces\n             Corporate Performance Objectives. Further, management will look\n             for opportunities to add value and enhance channels for\n             communicating internal risk management activities, including the\n             possible augmentation of certain existing reports and/or expanding\n             Audit Committee and other management briefings.\n\n    2        No action planned. Management stated in its response that OERM\n             is an extension of the CFO\xe2\x80\x99s office and, by design, needs to maintain           N/A             $0         Yes          Closed\n             a certain level of independence for the annual assurance statement\n             process. Management described OERM\xe2\x80\x99s quality assurance role in\n             that process and stated that it believes the substance of this process\n             is more effective than just having OERM sign a statement to the\n             Chairman.\n\n\n\n\n                                                                                64\n\x0c                                                                                                                           APPENDIX IV\n\n\n Rec.                                                                              Expected        Monetary   Resolved:a     Open or\nNumber             Corrective Action: Taken or Planned/Status                   Completion Date    Benefits   Yes or No      Closedb\n  3      No action planned. Management stated in its response that the\n         FDIC\xe2\x80\x99s responsibilities under Section 4 of FMFIA are clear and that          N/A             $0         Yes          Closed\n         management has coordinated with the Legal Division over the years\n         and developed an integrated approach for providing assurance that\n         more than satisfies the letter (as applicable) and the spirit of the\n         Section 4 requirements.\n\n  4      No action planned. Management stated in its response that the\n         FDIC\xe2\x80\x99s responsibilities under Section 4 of FMFIA are clear and that          N/A             $0         Yes          Closed\n         management has coordinated with the Legal Division over the years\n         and developed an integrated approach for providing assurance that\n         more than satisfies the letter (as applicable) and the spirit of the\n         Section 4 requirements.\n\n  5      Management will clarify the roles of the Chairman, the Board, and\n         the Audit Committee in relation to the FDIC\xe2\x80\x99s ERM program. We          To be determined      $0         Yes          Open\n         agree with management\xe2\x80\x99s planned action on this aspect of the\n         recommendation.\n\n         However, management does not believe that there are any\n         discrepancies between OERM\xe2\x80\x99s current operation and the respective\n         Bylaws, and management continues to fully support OERM\xe2\x80\x99s efforts\n         in developing and implementing a comprehensive ERM program\n         and appropriate training program.\n\n  6      No action planned. Management does not believe that there are any\n         discrepancies between OERM\xe2\x80\x99s current operation and the respective            N/A             $0         Yes          Closed\n         Bylaws, and management continues to fully support OERM\xe2\x80\x99s efforts\n         in developing and implementing a comprehensive ERM program\n         and appropriate training program.\n\n\n\n\n                                                                          65\n\x0c                                                                                                                                               APPENDIX IV\n\n\n Rec.                                                                                      Expected             Monetary        Resolved:a        Open or\nNumber                    Corrective Action: Taken or Planned/Status                    Completion Date         Benefits        Yes or No         Closedb\n      7         No action planned. Management does not believe that there are any\n                discrepancies between OERM\xe2\x80\x99s current operation and the respective             N/A                   $0              Yes            Closed\n                Bylaws, and management continues to fully support OERM\xe2\x80\x99s efforts\n                in developing and implementing a comprehensive ERM program\n                and appropriate training program.\n\nSuggestion      No action planned. In its response, management stated that the\n                COSO ERM Framework is not appropriate for universal application               N/A                   $0              Yes            Closed\n                to the FDIC. Management further stated that rather than focusing on\n                housing all external and internal risk management activities in one\n                office or under one person, the FDIC utilizes a risk matrix approach,\n                with virtually all risk management activities reporting to either the\n                COO and/or CFO, on behalf of the Chairman. Further, these\n                activities are optimized by extensive communication channels\n                upward and throughout the FDIC, and are directly linked into the\n                FDIC\xe2\x80\x99s corporate planning, budget, and performance measurement\n                process.\n\n\na\n    Resolved: (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n              as management provides an amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed. In this case, we\nare closing the recommendations because the Chairman, as the Corporation\xe2\x80\x99s AFO, has supported management\xe2\x80\x99s response to the report\xe2\x80\x99s suggestions and\nrecommendations.\n\n\n\n\n                                                                                 66\n\x0c'